https://adtmag.com/articles/2018/05/30/java-serialization.aspx

Oracle's chief architect says his company intends to remove serialization from Java -- eventually. Answering a question during a live-streamed session at the recent Devoxx UK 2018 conference called "Ask the Architect," Mark Reinhold said it's a long-term goal that has been a long time coming.

"[Serialization] was a horrible mistake in 1997," he said. "Some of us tried to fight it, but it went in, and there it is. ...We like to call serialization 'the gift that keeps on giving,' and the type of gift it keeps on giving is security vulnerabilities.... Probably a third of all Java vulnerabilities have involved serialization; it could be over half. It is an astonishingly fecund source of vulnerabilities, not to mention instabilities."