Memory and resource leaks during serialization can result in a resource exhaustion attack or can crash the Java Virtual Machine.
Detecting code that should be considered privileged or sensitive requires programmer assistance. Given identified privileged code as a starting point, automated tools could compute the closure of all code that can be invoked from that point. Such a tool could plausibly determine whether all code in that closure exists within a single package. A further check of whether the package is sealed is feasible.
Closeable Not Stored (Java)