Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
6Blast Radius
ecosystem impact- 1 maven packages depend on org.apache.opennlp:opennlp-tools (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 3.0.0-M1.
DescriptionCVE.org
XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor
Versions Affected: before 2.5.9, before 3.0.0-M3
Description: The DictionaryEntryPersistor class initializes a static SAXParserFactory at class-load time without enabling FEATURE_SECURE_PROCESSING or disabling DTD processing. When create(InputStream, EntryInserter) is invoked, the only feature set on the XMLReader is namespace support - external entity resolution and DOCTYPE declarations remain fully enabled. An attacker who can supply a crafted dictionary file (e.g., a stop-word list or domain dictionary) containing a malicious DOCTYPE declaration can trigger local file disclosure via file:// entity references or server-side request forgery via http:// entity references during SAX parsing, before the application processes a single dictionary entry. This is inconsistent with the project's own XmlUtil.createSaxParser() helper, which correctly sets FEATURE_SECURE_PROCESSING and disallow-doctype-decl and is used by all other XML parsing paths in the codebase. The public Dictionary(InputStream) constructor delegates directly to this method and is the documented API for loading user-supplied dictionaries, making untrusted input a realistic scenario.
Mitigation: 2.x users should upgrade to 2.5.9. 3.x users should upgrade to 3.0.0-M3. Users who cannot upgrade immediately should ensure that all dictionary files are sourced from trusted origins and should consider wrapping the Dictionary(InputStream) constructor with input validation that rejects any XML containing a DOCTYPE declaration before it reaches the parser.
AnalysisAI
XML External Entity injection in Apache OpenNLP's DictionaryEntryPersistor allows remote unauthenticated attackers to disclose local files or perform server-side request forgery when processing untrusted dictionary files. The vulnerable SAX parser initialization omits critical security features (FEATURE_SECURE_PROCESSING, DTD disablement) present elsewhere in the codebase, creating an inconsistency exploitable via the public Dictionary(InputStream) API when loading stop-word lists or domain dictionaries. With EPSS at 0.03% (8th percentile) and no active exploitation reported, this represents a code-quality issue in a specific input path rather than an imminent widespread threat, though the CVSS 9.1 reflects maximum theoretical impact given the network-accessible, unauthenticated attack vector.
Technical ContextAI
Apache OpenNLP is a natural language processing toolkit. The DictionaryEntryPersistor class uses Java's SAXParserFactory for XML parsing but fails to configure XXE protections at class initialization. Standard XXE defenses require setting FEATURE_SECURE_PROCESSING (javax.xml.XMLConstants) and explicitly disabling external general entities, external parameter entities, and DOCTYPE declarations. OpenNLP's own XmlUtil.createSaxParser() helper implements these protections correctly and is used throughout the codebase, but DictionaryEntryPersistor bypasses it with a static factory that only enables namespace support. This creates CWE-611 (Improper Restriction of XML External Entity Reference) where malicious DOCTYPE declarations in dictionary files trigger entity expansion during SAX parsing. The affected component is cpe:2.3:a:apache_software_foundation:apache_opennlp across 2.x (pre-2.5.9) and 3.x (pre-3.0.0-M3) branches. Dictionary files are XML-formatted resources commonly loaded from user-controlled sources in NLP workflows, making untrusted input a realistic threat model.
RemediationAI
Vendor-released patches: Apache OpenNLP 2.5.9 for 2.x users and 3.0.0-M3 for 3.x users eliminate the vulnerability by correctly configuring SAX parser security features in DictionaryEntryPersistor. Download from official Apache distribution channels and verify release signatures per Apache security procedures (https://lists.apache.org/thread/r6jpt0qr9nj67gqhppqg7jxf8vsbo0w6). For users unable to upgrade immediately, implement pre-parse input validation rejecting any XML containing DOCTYPE declarations before passing to Dictionary(InputStream) constructor. Example compensating control: wrap InputStream in filtering layer that scans first 2KB for '<!DOCTYPE' substring and rejects if present (trade-off: potential false positives with legitimate comments, adds parsing overhead, does not protect against future XML injection variants). Stronger alternative: restrict dictionary file sources to administrator-controlled file paths with integrity verification via cryptographic signatures, preventing untrusted input from reaching the parser entirely (trade-off: reduces flexibility for dynamic dictionary loading in multi-tenant environments). Temporary workaround does not address root cause and should be replaced with vendor patch within standard change-control windows.
More in Apache Opennlp
View allApache OpenNLP's model loading mechanism executes arbitrary static initializers through crafted manifest entries, enabli
Untrusted Java deserialization in Apache OpenNLP's SvmDoccatModel (libsvm document categorization module, versions 3.0.0
Remote denial of service in Apache OpenNLP versions before 2.5.9 and 3.0.0-M3 allows unauthenticated attackers to crash
Vendor StatusVendor
SUSE
Severity: CriticalShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27003
GHSA-4v8g-86x5-3vrc