The vulnerability stems from unsafe deserialization via JMatIO's MatFileReader in Apache Tika's MatParser. The patch added a static block in MatParser.java to disable object deserialization (MatFileReader.setAllowObjectDeserialization(false)), which was missing in vulnerable versions. The parse method is the entry point that triggers JMatIO's deserialization logic without this safeguard, making it the vulnerable function. The absence of the static initializer in pre-1.14 versions left the deserialization flag enabled by default, leading to CWE-502 exploitation.