CVE-2026-43825
Received Received - Intake

Untrusted Java Deserialization in Apache OpenNLP

Vulnerability report for CVE-2026-43825, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Apache Software Foundation

Description

Untrusted Java Deserialization in Apache OpenNLP SvmDoccatModel Versions Affected: Β  before 3.0.0-M4 (libsvm document categorization module; introduced in Β  OPENNLP-1808 and only present on the 3.x line) Description: SvmDoccatModel.deserialize(InputStream) reads an attacker-controlled stream with java.io.ObjectInputStream and calls readObject() without an ObjectInputFilter installed. ObjectInputStream materialises every class referenced in the stream before the resulting object is cast to SvmDoccatModel, so the cast that follows readObject() executes only after the foreign object graph has already been deserialised in full. If a Java deserialization gadget chain is available on the consumer's classpath, a crafted payload supplied to deserialize() executes arbitrary code in the JVM that loads it. Apache OpenNLP itself does not ship a known gadget chain, so the realistic risk is to downstream applications that embed the libsvm module alongside vulnerable transitive dependencies. The method is public and static, so any caller can pass an untrusted stream to it directly. The practical impact is remote code execution against processes that load SvmDoccatModel instances from untrusted or semi-trusted origins. Mitigation: 3.x users should upgrade to 3.0.0-M4. Users who cannot upgrade immediately should treat all serialized SvmDoccatModel streams as untrusted input unless their provenance is verified, and should avoid invoking SvmDoccatModel.deserialize() on streams supplied by end users or fetched from third-party sources without integrity checks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apache opennlp to 3.0.0-M4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an untrusted Java deserialization issue in the Apache OpenNLP SvmDoccatModel component before version 3.0.0-M4. The method SvmDoccatModel.deserialize(InputStream) reads data from an attacker-controlled stream using java.io.ObjectInputStream without applying any ObjectInputFilter. This means that the entire object graph referenced in the stream is deserialized before any type casting occurs.

If a malicious Java deserialization gadget chain exists on the classpath of the application using this module, an attacker can craft a payload that executes arbitrary code when deserialized. Apache OpenNLP itself does not include such gadget chains, so the risk mainly applies to downstream applications that include vulnerable dependencies alongside the libsvm module.

Because the deserialize method is public and static, any caller can pass an untrusted stream directly to it, increasing the risk of exploitation.

Impact Analysis

The primary impact of this vulnerability is remote code execution (RCE) on processes that load SvmDoccatModel instances from untrusted or semi-trusted sources. An attacker who can supply a crafted serialized stream to the deserialize method may execute arbitrary code within the Java Virtual Machine hosting the application.

This can lead to full compromise of the affected system, including unauthorized access, data theft, or disruption of services.

Detection Guidance

Detection of this vulnerability involves identifying usage of the vulnerable Apache OpenNLP versions before 3.0.0-M4, specifically the libsvm document categorization module that includes the SvmDoccatModel.deserialize(InputStream) method.

You can check your system or application dependencies for Apache OpenNLP versions prior to 3.0.0-M4.

  • Use dependency management tools to list versions, for example, in Maven: mvn dependency:tree | grep opennlp
  • In Gradle: ./gradlew dependencies | grep opennlp
  • Search your codebase for calls to SvmDoccatModel.deserialize() to identify if untrusted streams might be passed.

Network detection is difficult because the vulnerability is triggered by deserialization of crafted Java objects within the application. Monitoring for suspicious or unexpected serialized Java object streams being loaded by the application could help, but no specific commands are provided.

Mitigation Strategies

The primary mitigation is to upgrade Apache OpenNLP to version 3.0.0-M4 or later, where this vulnerability is fixed.

If upgrading immediately is not possible, treat all serialized SvmDoccatModel streams as untrusted input unless their provenance is verified.

Avoid invoking SvmDoccatModel.deserialize() on streams supplied by end users or fetched from third-party sources without integrity checks.

Compliance Impact

The provided context does not include any information about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43825. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart