Do not make such a strong security claim

owen-mc · Copilot · web-flow · commit f2ea3b98d884 · 2026-05-07T10:58:35.000+01:00
Co-authored-by: Copilot Autofix powered by AI &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
@@ -21,10 +21,11 @@ Jackson, Jabsorb, Jodd JSON, Flexjson, Gson, JMS, and Java IO serialization thro
 <p>
 Note that a deserialization method is only dangerous if it can instantiate
 arbitrary classes. Serialization frameworks that use a schema to instantiate
-only expected, predefined types are generally safe and are not tracked by this
-query. For example, Apache Avro's deserialization methods follow a schema and
-therefore cannot instantiate arbitrary classes, making them safe to use even
-with untrusted data.
+only expected, predefined types are generally not tracked by this query. For
+example, Apache Avro's deserialization methods follow a schema and are
+therefore generally safe with respect to arbitrary-class-instantiation and
+gadget-chain attacks when the schema is trusted and does not permit
+user-controlled type resolution.
 </p>
 </overview>
 
