Description
Currently the ViewState-ID provided by the user is deserialized via Java deserialization even when the javax.faces.STATE_SAVING_METHOD is set to server (the default).
The deserialization in this case is unecessary and most likely even slower than just sending the ViewState Id directly.
If a developer now disables the ViewState encryption by setting org.apache.myfaces.USE_ENCRYPTION to false (against the MyFaces security advice) he might have unintentionally introduced a dangerous remote code execution (RCE) vulnerability as described here.
This has been discussed before on Issue MYFACES-4021.