In this paper we proposed a method of vulnerability mining based on Abstract Syntax Tree (AST), which can automatic detect defects in the mainstream frameworks of Java Json deserialization. It is difficult to manually audit such Json vulnerabilities, and the traditional white box detection tool cannot adapt to the scan. So we can use vulnerability mining model to solve these two problems, this model can mine the potential utilization chain of Json deserialization vulnerability automatically. We also analyzed the cause of Java Json deserialization vulnerability, and show the defensible and recoverable schemes in a remote command execution vulnerability case.