In January 2017, the Zero Day Initiative (ZDI) published an advisory for Apache Groovy, ZDI-17-044/CVE-2016-6814. This vulnerability, reported to us in late 2016 by Sam Thomas of Pentest Limited, is a rather deft patch bypass for an earlier vulnerability that was also submitted via the ZDI program.

The technique the researcher used for this patch bypass highlights the treacherous nature of deserialization vulnerabilities.

source: grugq