The class referenced in the json

Only existed in 1.12.2-5.5.x versions, as network was completely rewritten in 5.6.x versions.

Secondly, the class referenced in the json does not use ObjectInputStream. We have never used that class in any versions as far as I am aware.
These are the imports for that class.

I am confused why JourneyMap is even on this list? How did you detect it?

The jar I looked at was journeymap-1.16.5-5.7.1.jar:

But as I already mentioned in #6 and as of 5ba2357 in the readme as well, the listed mods just mean that there was at least one vulnerable version.

Because of the rushed announcement, we are currently unable to give exact version ranges of affected mods. If you want to help out with that, feel free to contribute to this list.

If anyone can provide some more insights into the exact versions that were affected for these mods, that would be great!

I can confirm that in the latest 1.12 version of the mod this issue doesn't exist (journeymap-1.12.2-5.7.1)
That's the class on your screenshot:

For messaging it's using JSON objects:

So everything should be fine

Looks like the class was used was in 5.7.1 for 1.16.5 but was removed in 5.7.2.

So 1.16.5-5.7.2 is the fixed version. All other 5.7.1 versions it looks like do not use that class.
Please update your readme or would you like me to pr the change?
It looks like it was used as a quickfix to get 1.16.x port out the door. And was removed right away in the 5.7.2 lifecycle.

The pack version is using journeymap-1.18.2-5.8.5-fabric.jar

per the chat above, I think we can conclude that no, it is not effected by your version.

Dose this effect the Fabric version at all? asking as i'm a pack dev and want to make sure i don't need to update my fabric packs .

Dose this effect the Fabric version at all? asking as i'm a pack dev and want to make sure i don't need to update my fabric packs .

Are you using journeymap 1.16.5-5.7.1?

The pack version is using journeymap-1.18.2-5.8.5-fabric.jar