PkgRadar

Maven · repo1.maven.org

org.forgerock:forgerock-auth

Java Unsafe Deserialize: ObjectInputStream / XStream.fromXML — untrusted deserialization sink.

Why PkgRadar flagged 4.8.6

SeveritySignalEvidence
mediumJava Unsafe DeserializeObjectInputStream / XStream.fromXML — untrusted deserialization sink. · org/forgerock/android/auth/CookieMarshaller.java
mediumJava Static Init Side EffectStatic-initializer block contains process/network/reflection — runs on first class load (contributory signal). · org/forgerock/android/auth/FRUser.java
mediumJava Static Init Side EffectStatic-initializer block contains process/network/reflection — runs on first class load (contributory signal). · org/forgerock/android/auth/FRSession.java

Scanned versions

VersionVerdictScoreScanned (UTC)
4.8.6Review222026-06-16

Block this in CI

PkgRadar gates org.forgerock:forgerock-auth (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem maven org.forgerock:[email protected]
Start free — 25 scans / moView full evidence