Change note

This commit is contained in:
Owen Mansel-Chan
2025-07-11 11:01:51 +01:00
parent 8e4bd1a102
commit 7764fbb664

View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The qualifiers of a calls to `readObject` on any classes that implement `java.io.ObjectInput` are now recognised as sinks for `java/unsafe-deserialization`. Previously this was only the case for classes which extend `java.io.ObjectInputStream`.