Affects: \ If there is a vulnerability (CVE-2016-1000027) in spring-web 5.3.32, can it be fixed and a new 5.x version be released?

Comment From: grubeninspekteur

Duplicates #24434

Java serialization is intrinsically unsafe, there is nothing Spring could do here to fix it. If you don't use the HttpInvoker mechanism with Java serialization, then you are not affected. If you are using HttpInvoker and the API you built is accessible by a third party, add a serialization filter to whitelist the types you need to accept.

Removing HttpInvoker in 5.x would be a breaking change. If a security scanning tool brought you here and you are not affected, you should mark the CVE as a false positive.