This problem is due to deserialization creating object (sub)graphs which are unintentionally too powerful. Statically typed languages (especially without dependent types) can do this too, even when the root object(s) matches the type(s) expected by the caller. The cure is http://en.wikipedia.org/wiki/Capability-based_security: write out what the caller is currently allowed to do, rather than blindly granting dangerous privileges and relying on the code's design never to use them. Even tainting, a very crude manual form, seems like it could have caught this.