The biggest cause of vulnerabilities in Java serialization is that the class is part of the serialization format, so an attacker can cause the serialization to produce classes that you aren't expecting.
Json.NET seems to allow the same behavior, but has it disabled by default.
> In fact the only kind that is not vulnerable is the default: TypeNameHandling.None
Json.NET seems to allow the same behavior, but has it disabled by default.
> In fact the only kind that is not vulnerable is the default: TypeNameHandling.None