Analysis updated 2026-07-03
Generate deserialization payloads for libraries like Jackson, XStream, or SnakeYAML to test whether your Java app is vulnerable to remote code execution.
Identify which marshalling gadget chains are present in your application's dependency tree to prioritize patching.
Test your own systems for Log4Shell-style JNDI injection vulnerabilities using the included payload generators.
Study the included research paper to understand how Java deserialization attacks work mechanically.
| mbechler/marshalsec | oasisfeng/island | linkedin/databus | |
|---|---|---|---|
| Stars | 3,683 | 3,685 | 3,680 |
| Language | Java | Java | Java |
| Setup difficulty | moderate | hard | hard |
| Complexity | 4/5 | 4/5 | 4/5 |
| Audience | developer | developer | ops devops |
Figures from each repo's GitHub metadata at analysis time.
Requires Java 8 and Maven to build. Only run payloads against systems you own or have explicit written permission to test.
This repository contains a research tool and accompanying paper focused on a category of security vulnerabilities in Java applications. The vulnerability class involves a process called unmarshalling, which is when a program takes data received from outside (such as over a network) and converts it into internal Java objects. The research demonstrates that many popular Java libraries performing this conversion can be tricked into executing arbitrary code on the server if an attacker crafts the data carefully enough. The README notes this research connects to a well-known wave of Java security issues and is also relevant to the Log4Shell vulnerability (CVE-2021-44228), which received widespread attention in late 2021. A link to a separate post explaining the Log4Shell connection is included at the top. The tool generates test payloads for a list of specific Java marshalling libraries, including Jackson, SnakeYAML, XStream, Kryo, Hessian, and others. For each library, it can produce payloads that attempt different types of impact: running a system command on the machine, loading code from a remote server, or triggering a lookup through a protocol called JNDI. Some payloads work using only standard Java components with no third-party libraries required, while others depend on additional packages being present in the target application. Building the tool requires Java 8 and Maven, a standard Java build system. Once built, it runs from the command line with options to generate a single payload type or test all available gadgets for a given library automatically. The README states explicitly that all code and information is provided for educational purposes and for testing systems you own. This is a defensive research tool: understanding these attack paths helps developers and security teams identify whether their own applications are exposed to this class of vulnerability.
A Java security research tool that generates test payloads to check whether your application's deserialization libraries are vulnerable to remote code execution attacks.
Mainly Java. The stack also includes Java, Maven.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.