JEP-200 is a Jenkins hardening measure that adds class filtering to object deserialization. In practice, it limits which Java classes Jenkins will accept when turning serialized data back into live objects. This matters because deserialization is a common attack surface: if an application accepts untrusted objects, an attacker may be able to trigger unsafe behavior, gadget chains, or code execution.
In Jenkins, many settings and plugin data are stored as structured XML and passed through libraries such as XStream. JEP-200 reduces risk by blocking unexpected or dangerous types before they are instantiated. Defenders rely on it to shrink the blast radius of configuration parsing bugs and plugin abuse, while attackers try to bypass or reach code paths that deserialize outside the approved class set. It is a control, not a complete fix, so secure permissions, patching, and trusted data handling still matter.



