Permitting  deserialization of certain classes like HashMap and HashTable could eventually exhaust the heap. An attacker could use this to conduct a Denial of Service attack targeting these classes. 

Please refer to JBEAP-24964 for more details.