Remove commons-collection dependency, or upgrade commons-collections to v3.2.2 or v4.1 or later to mitigate level 9 threat.
Old name: commons-collections:commons-collections
Current name: org.apache.commons:commons-collections4
Velocity Tools v2.0 uses commons-collections:commons-collections v3.2
commons-collections4 v4.1 includes the critical security fix
COLLECTIONS-580. Quoting from v4.1 release notes:
Serialization support for unsafe classes in the functor package has been removed completely as this can be exploited for remote code execution attacks. Classes considered to be unsafe are: