This paper identifies the risk that “dormant deserialization gadget chains” in Java dependency libraries can be inadvertently activated by minor code changes—such as routine maintenance updates or malicious supply-chain poisoning. Method: The authors systematically quantify the evolutionary volatility of class serializability for the first time, propose three novel patterns of stealthy gadget-injecting code changes, and integrate static analysis with three detection tools (GadgetInspector, SerialKiller, JQF) alongside large-scale dependency evolution comparison. Contribution/Results: Across 533 widely used Java libraries, 26.08% were found to activate new deserialization gadget chains due to trivial modifications; manual validation confirmed 53 real-world exploitable dormant chains. The study establishes dormant chains as a novel supply-chain attack vector, substantially expanding the known deserialization attack surface and providing both theoretical foundations and practical methodologies for dependency security governance.

Java deserialization gadget chains are a well-researched critical software weakness. The vast majority of known gadget chains rely on gadgets from software dependencies. Furthermore, it has been shown that small code changes in dependencies have enabled these gadget chains. This makes gadget chain detection a purely reactive endeavor. Even if one dependency's deployment pipeline employs gadget chain detection, a gadget chain can still result from gadgets in other dependencies. In this work, we assess how likely small code changes are to enable a gadget chain. These changes could either be accidental or intentional as part of a supply chain attack. Specifically, we show that class serializability is a strongly fluctuating property over a dependency's evolution. Then, we investigate three change patterns by which an attacker could stealthily introduce gadgets into a dependency. We apply these patterns to 533 dependencies and run three state-of-the-art gadget chain detectors both on the original and the modified dependencies. The tools detect that applying the modification patterns can activate/inject gadget chains in 26.08% of the dependencies we selected. Finally, we verify the newly detected chains. As such, we identify dormant gadget chains in 53 dependencies that could be added through minor code modifications. This both shows that Java deserialization gadget chains are a broad liability to software and proves dormant gadget chains as a lucrative supply chain attack vector.