PkgRadar

Maven · repo1.maven.org

com.google.appengine:appengine-remote-api

Java Unsafe Deserialize: ObjectInputStream / XStream.fromXML — untrusted deserialization sink.

Why PkgRadar flagged 5.0.4

SeveritySignalEvidence
mediumJava Unsafe DeserializeObjectInputStream / XStream.fromXML — untrusted deserialization sink. · com/google/appengine/tools/remoteapi/RemoteRpc.java
mediumRemote Payloadmatched "cUrl " · com/google/appengine/tools/remoteapi/OAuthClient.java

Scanned versions

VersionVerdictScoreScanned (UTC)
5.0.4Review92026-06-11

Block this in CI

PkgRadar gates com.google.appengine:appengine-remote-api (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem maven com.google.appengine:[email protected]
Start free — 25 scans / moView full evidence