Applications leverage serialization and deserialization to exchange data between instances. Serialization allows developers to exchange messages or perform remote method invocation in distributed ap- plications. However, the application logic itself is responsible for security. Adversaries may abuse bugs in the deserialization logic to forcibly invoke attacker-controlled methods by crafting malicious bytestreams (payloads). Crystallizer presents a novel hybrid framework to automati- cally identify deserialization vulnerabilities by combining static and dynamic analyses. Our intuition is to first over-approximate possi- ble payloads through static analysis (to constrain the search space). Then, we use dynamic analysis to instantiate concrete payloads as a proof-of-concept of a vulnerability (giving the analyst concrete examples of possible attacks). Our proof-of-concept focuses on Java deserialization as the imminent domain of such attacks. We evaluate our prototype on seven popular Java libraries against state-of-the-art frameworks for uncovering gadget chains. In con- trast to existing tools, we uncovered 47 previously unknown ex- ploitable chains. Finally, we show the real-world security impact of Crystallizer by using it to synthesize gadget chains to mount RCE and DoS attacks on two popular Java applications automatically. We have responsibly disclosed all newly discovered vulnerabilities