The Base64.decodeToObject() is unsafe as it attempts to serialize non-validated data. The Java deserialization that it attempts via ObjectInputStream.readObject() can potentially lead to remote code injection vulnerabilities.

This method should be tagged as @deprecated and noted in the javadoc as such, along with a stern warning that it unsafe and will be removed in a future release. (Without potentially breaking someone's code, that's the best we can do for now.)