Maven · repo1.maven.org

com.github.ifeilong:feilong

Java Unsafe Deserialize: ObjectInputStream / XStream.fromXML — untrusted deserialization sink.

Why PkgRadar flagged 4.5.4

Severity	Signal	Evidence
medium	Java Unsafe Deserialize	ObjectInputStream / XStream.fromXML — untrusted deserialization sink. · com/feilong/lib/lang3/SerializationUtils.java
medium	Java Unsafe Deserialize	ObjectInputStream / XStream.fromXML — untrusted deserialization sink. · com/feilong/lib/org/apache/http/impl/client/BasicAuthCache.java
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · com/feilong/lib/javassist/util/proxy/DefinePackageHelper.java
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · com/feilong/lib/javassist/util/proxy/DefineClassHelper.java
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · com/feilong/lib/javassist/Loader.java
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · com/feilong/lib/ognl/security/OgnlSecurityManagerFactory.java
medium	Java Dynamic Classload	URLClassLoader / defineClass — runs attacker-provided bytecode. · com/feilong/lib/ognl/enhance/EnhancedClassLoader.java

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`4.5.4`	Review	100	2026-06-11
`4.5.3`	Low risk	0	2026-06-10

Block this in CI

PkgRadar gates com.github.ifeilong:feilong (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem maven com.github.ifeilong:[email protected]