It was found that jython is vulnerable to arbitrary code executionby sending a serialized function to the deserializer, which in turn will execute the code. Upstream issue: http://bugs.jython.org/issue2454 Upstream patch: https://hg.python.org/jython/rev/d06e29d100c0 References: https://snyk.io/vuln/SNYK-JAVA-ORGPYTHON-31451