The vulnerability arises from the ExtensionLoader.instantiateExtension(Class, String) method in Apache OpenNLP, which uses Class.forName() to load a class specified by the manifest.properties entry of a model archive. Although a type check is performed after loading, the class is already initialized, executing its static initializer. An attacker supplying a crafted model archive can cause any class on the classpath to have its static initializer run during model loading, potentially triggering side effects such as JNDI lookups, network I/O, or filesystem access. This is not direct remote code execution but can be leveraged if suitable classes with side-effecting static initializers exist. The fix, introduced in versions 2.5.9 and 3.0.0-M3, adds a package-prefix allowlist checked before class loading to block unauthorized classes. Users must upgrade or restrict model sources and audit their environment.

Successful exploitation allows an attacker who can supply a malicious model archive to trigger the static initializer of any class on the classpath during model loading. This can lead to side effects such as network requests, filesystem access, or other actions performed by those static initializers, potentially compromising confidentiality, integrity, and availability. The vulnerability has a CVSS score of 9.8 (critical), indicating high impact with network attack vector, no privileges or user interaction required, and full confidentiality, integrity, and availability impact. However, exploitation depends on the presence of classes with exploitable static initializers on the classpath and attacker control over model archives.

A fix is available: users of Apache OpenNLP 2.x should upgrade to version 2.5.9 or later, and users of 3.x should upgrade to 3.0.0-M3 or later. The fix implements a package-prefix allowlist to prevent loading classes outside approved packages, blocking execution of unauthorized static initializers. Deployments that load models referencing classes outside the default 'opennlp.' package must explicitly allow those packages via ExtensionLoader.registerAllowedPackage(String) or the OPENNLP_EXT_ALLOWED_PACKAGES system property before loading models. Users unable to upgrade immediately should ensure all model files come from trusted sources and audit their classpath for classes with side-effecting static initializers or constructors, especially those performing JNDI lookups, network, or filesystem operations during initialization.