Loading Java Decoder...
Decode a Java serialization stream (starting with 0xACED) into a readable object tree. Paste hex or base64. Everything runs in your browser.
Parses the JDK Object Serialization Stream Protocol: classes, fields, strings, arrays, enums and handle references. Custom writeObject payloads are surfaced as block data. Useful for inspecting deserialization gadgets and debugging RMI/JMX traffic.
Decode a Java serialization stream (0xACED) into a readable object tree. Paste hex or base64. Runs entirely in your browser.
Java's ObjectOutputStream produces a binary serialization stream that always begins with the magic bytes 0xAC 0xED. It carries class descriptors, field values, arrays and object graphs, and shows up in RMI, JMX, JSF view state and countless deserialization vulnerabilities. This tool parses that stream into a readable tree so you can see the classes, fields and values inside, without running any Java.
Input:
aced0005740005hello (hex) or rO0ABXQABWhlbGxv (base64)
Output:
"hello"
What can it decode?
Standard serialized objects: classes, primitive and object fields, strings, arrays, enums and references. Externalizable and custom writeObject data is shown as raw block data.
Why is this useful for security?
Java deserialization is a major vulnerability class. Inspecting a stream lets you identify gadget classes (ysoserial payloads) and understand what a target will instantiate.
Does it execute the object?
No. It only parses bytes. Nothing is instantiated or run, so it is safe for untrusted input.
Is anything uploaded?
No. Parsing runs entirely in your browser.