首先需要知道的是, 这是一条任意文件写入的利用链 (不受 autotype 限制), 而写入一个 jsp ...
This is the same vulnerability class responsible for the historical sequence of jackson-databind deserialization CVEs; here it manifests as a validator bypass rather than a missing deny-list entry.