Abstract: In this paper we proposed a method of vulnerability mining based on Abstract Syntax Tree (AST), which can automatic detect defects in the mainstream frameworks of Java Json deserialization.