In Java, 63 percent of high and critical vulnerabilities derive from indirect dependencies— i.e., third-party libraries that have been indirectly packaged with the application.

The vulnerability is part of a class of bugs that stem from Java object deserialization and which security researchers have warned about a year ago.