We can use any language that can produce Java serialization streams – with the jython library, Java itself, or a ready‑made tool like ysoserial . Because the vulnerable class ( Message ) is part of the same classpath, the simplest approach is to write a tiny Java program that serialises the object.
: You can try to paste the code into a search engine to see if any relevant information comes up. Sometimes, these codes are used in multiple places or are publicly listed. NHDTA-859-JAVHD-TODAY-0530202203-48-37 Min
ysoserial works because the vulnerable Message.readObject will still execute any command we embed in the payload. We can use any language that can produce