Chapter 1. Security Alerts

The APPLICATION_JAVA_OBJECT and APPLICATION_JAVA_OBJECT_XML media types are not safe to use from a security perspective. There is a weakness in the XML deserialization mechanism used by these media types, which allows a remote attacker to force the JVM to execute unwanted Java code embedded inside a specially-crafted request to the REST endpoint. By default, camel-restlet uses the APPLICATION_WWW_FORM media type, which is not affected by this issue. It is possible to change the media type by setting the Content-Type message header. If you do so, it is important to ensure you do not use the APPLICATION_JAVA_OBJECT and APPLICATION_JAVA_OBJECT_XML media types. These media types will be disabled entirely in a future release.