9.8

CVE-2026-47065

Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232

ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy


Assessment: Fully addressed.


When the serialised stream contains a TC_PROXYCLASSDESC (the marker 
for a java.lang.reflect.Proxy ), JDK’s ObjectInputStream.readProxyDesc()
 is
dispatched. JDK then calls the default 
ObjectInputStream.resolveProxyClass(interfaces) implementation, which 
performs Class.forName(intf, false, latestUserDefinedLoader()) for EACH 
interface name and constructs the proxy class — bypassing the accepted
 classes list .


ZDRES-233: Class.forName(name, initialize=true, classLoader) in 
readClassDescriptor Triggers Static Initialiser of Allow-Listed Classes


Assessment: Fully addressed.


For ANY class on the allow-list, deserialising a stream that names it triggers the class’s 
 (static initialiser) BEFORE any instance is constructed. This means an 
attacker who supplies a class name on the allow-list (e.g., the 
developer wrote accept(“com.myapp.*") , attacker supplies 
com.myapp.SomeClass ) causes <clinit> of SomeClass — and many 
real-world classes have side-effecting static initialisers


Both issues have been fixed.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheMina Version2.0.29
ApacheMina Version2.1.13
ApacheMina Version2.2.8
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.47% 0.371
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security@apache.org 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://lists.apache.org/thread/y7xj1bl8qo47p9bktb11hg5v6k1d4dyj
Vendor Advisory
Mailing List