wire allows insecure deserialization. The way the type information is handled in its serialization format allows an attacker to pass malicious payloads (a different type for the receiving end) to the deserializer and potentially cause unexpected application behavior.