What are the security risks in the serialization of a lambda expression?

Question

Just going over Streams and Java 8 Lambda functionality, and the last comment on the otherwise self-explanatory Oracle doc Lambda Expressions states:

You can serialize a lambda expression if its target type and its captured arguments are serializable. However, like inner classes, the serialization of lambda expressions is strongly discouraged.

Checking up on this I found the SO question

How to serialize a lambda?

where the OP is dealing with serialized lambda expressions from client code.

If I had a webservice and one of the parameters was a lambda expression, it seems it could contain malicious code that could do such things as file system access, or causing a stack overflow - so it would be highly foolish to trust it.

Am I overexaggerating the security risk or are there limits to what a serialized expression can contain?

Answer 1

Lets put it this way: Java object serialization is (to a certain degree) a security nightmare anyway ( see here for example ).

In other words: serialization by itself is a topic where one needs to be really thoughtful in the first place. So it doesn't really matter if you talk about serialized lambdas, or any other kind of serialized objects.

So, for example you want to make sure that you understand and support the corresponding rules, like from CERT.