diff --git a/pulsar-functions/api-java/pom.xml b/pulsar-functions/api-java/pom.xml
index c28159bed2421..6f22762ed6c44 100644
--- a/pulsar-functions/api-java/pom.xml
+++ b/pulsar-functions/api-java/pom.xml
@@ -55,6 +55,10 @@
${project.version}
compile
+
+ io.github.pixee
+ java-security-toolkit
+
diff --git a/pulsar-functions/api-java/src/main/java/org/apache/pulsar/functions/api/utils/JavaSerDe.java b/pulsar-functions/api-java/src/main/java/org/apache/pulsar/functions/api/utils/JavaSerDe.java
index c145179abb42b..fe99c4b14f9e0 100644
--- a/pulsar-functions/api-java/src/main/java/org/apache/pulsar/functions/api/utils/JavaSerDe.java
+++ b/pulsar-functions/api-java/src/main/java/org/apache/pulsar/functions/api/utils/JavaSerDe.java
@@ -18,6 +18,7 @@
*/
package org.apache.pulsar.functions.api.utils;
+import io.github.pixee.security.ObjectInputFilters;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
@@ -60,6 +61,7 @@ public Object deserialize(byte[] data) {
Object obj = null;
try (ByteArrayInputStream bis = new ByteArrayInputStream(data);
ObjectInputStream ois = new ObjectInputStream(bis)) {
+ ObjectInputFilters.enableObjectFilterIfUnprotected(ois);
obj = ois.readObject();
} catch (Exception ex) {
log.info("Exception during deserialization", ex);
diff --git a/pulsar-functions/pom.xml b/pulsar-functions/pom.xml
index cddeec3be7dbb..3a8e6a5187c6f 100644
--- a/pulsar-functions/pom.xml
+++ b/pulsar-functions/pom.xml
@@ -76,4 +76,16 @@
+
+
+
+ io.github.pixee
+ java-security-toolkit
+ ${versions.java-security-toolkit}
+
+
+
+
+ 1.1.3
+