CVE-2026-43825
Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-502
Deserialización de datos no confiables
Fecha de publicación:
06/07/2026
Última modificación:
06/07/2026
Descripción
*** Pendiente de traducción *** Untrusted Java Deserialization in Apache OpenNLP SvmDoccatModel<br />
<br />
Versions Affected:<br />
before 3.0.0-M4 (libsvm document categorization module; introduced in<br />
OPENNLP-1808 and only present on the 3.x line)<br />
<br />
Description:<br />
SvmDoccatModel.deserialize(InputStream) reads an attacker-controlled<br />
stream with java.io.ObjectInputStream and calls readObject() without an<br />
ObjectInputFilter installed. ObjectInputStream materialises every class<br />
referenced in the stream before the resulting object is cast to<br />
SvmDoccatModel, so the cast that follows readObject() executes only<br />
after the foreign object graph has already been deserialised in full.<br />
<br />
If a Java deserialization gadget chain is available on the consumer&#39;s<br />
classpath, a crafted payload supplied to<br />
deserialize() executes arbitrary code in the JVM that loads it. Apache<br />
OpenNLP itself does not ship a known gadget chain, so the realistic<br />
risk is to downstream applications that embed the libsvm module<br />
alongside vulnerable transitive dependencies. The method is public and<br />
static, so any caller can pass an untrusted stream to it directly.<br />
<br />
The practical impact is remote code execution against processes that<br />
load SvmDoccatModel instances from untrusted or semi-trusted origins.<br />
<br />
Mitigation:<br />
<br />
3.x users should upgrade to 3.0.0-M4.<br />
<br />
Users who cannot upgrade immediately should treat all serialized<br />
SvmDoccatModel streams as untrusted input unless their provenance is<br />
verified, and should avoid invoking SvmDoccatModel.deserialize() on<br />
streams supplied by end users or fetched from third-party sources<br />
without integrity checks.
Impacto
Puntuación base 3.x
7.30
Gravedad 3.x
ALTA



