Apache Mina
Monthly
Unsafe Java deserialization in Apache MINA's ObjectSerializationDecoder allows remote unauthenticated attackers to bypass the acceptMatchers class allow-list and achieve arbitrary code execution. Two distinct flaws are addressed: a TC_PROXYCLASSDESC handling gap where resolveProxyClass is not overridden (permitting java.lang.reflect.Proxy instantiation outside the allow-list), and a Class.forName invocation in readClassDescriptor that triggers static initializers of allow-listed classes before any instance check. No public exploit identified at time of analysis, but the CVSS 9.8 rating and well-known deserialization attack patterns make this a high-priority issue for any application exposing MINA's object serialization codec.
Unsafe Java deserialization in Apache MINA's ObjectSerializationDecoder allows remote unauthenticated attackers to bypass the acceptMatchers class allow-list and achieve arbitrary code execution. Two distinct flaws are addressed: a TC_PROXYCLASSDESC handling gap where resolveProxyClass is not overridden (permitting java.lang.reflect.Proxy instantiation outside the allow-list), and a Class.forName invocation in readClassDescriptor that triggers static initializers of allow-listed classes before any instance check. No public exploit identified at time of analysis, but the CVSS 9.8 rating and well-known deserialization attack patterns make this a high-priority issue for any application exposing MINA's object serialization codec.