This endpoint can deserealizes java objects, as part of this processing, any serialized arguments for the remote invocation are deserialized, therefore if the classpath contains any classes that can be used as gadgets to achieve remote code execution, an attacker will be able to run arbitrary system commands.
https://www.bigous.me/2022/09/06/CVE-2022-35405.html
https://github.com/frohoff/ysoserial
For generate java serialized object payload, Ysoserial** **can be used: It is needed that the ysoserial tool library versions match the server org.apache.commons.beanutils version, if the versions don’t match:
Failed to read result object: org.apache.commons.beanutils.BeanComparator; local class incompatible: stream classdesc serialVersionUID = -2044202215314119608, local class serialVersionUID = -3490850999041592962
(something like that) follow the instructions of this article** **to bypass that finding the exact server lib version by serialVersionUID and changing the pom.xml of ysoserial.