As described in MAGNOLIA-6900, our CacheEndpoint is vulnerable to RCE due to JSON-to-object deserialization—specifically affecting the /delete and /download methods.
They expect a cacheKey query-param as a json string (containing type information), for use by the json-io lib.

This is highly mitigated by the fact that anonymous access is denied to /.rest* ootb, but may still be exploited CSRF-style.

This issue proposes to implement a custom java.lang.ClassLoader and pass it to com.cedarsoftware.util.io.JsonReader at the time of deserialization. Therefore we have the power to prevent an attack when an unwanted class is tried to be deserialized by the endpoint. We simply make it configurable in JCR and user only has to populate the whitelisted classes to be serialized by the endpoint via info.magnolia.cache.browser.CacheBrowserAppModule and the custom ClassLoader is responsible to handle the rest (to check whether it should be ignored or serialized).