CVE-2026-43825: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache OpenNLP :: Core :: ML :: LibSVM
Apache OpenNLP versions before 3.0.0-M4 in the libsvm document categorization module contain a deserialization vulnerability in the SvmDoccatModel.deserialize(InputStream) method. This method deserializes data from an untrusted stream without applying an ObjectInputFilter, allowing arbitrary code execution if a malicious payload is provided. The vulnerability arises because the deserialization process materializes all classes referenced in the stream before casting to SvmDoccatModel. Apache OpenNLP does not ship known gadget chains, so the risk is mainly to downstream applications that include vulnerable dependencies. Users should upgrade to version 3.0.0-M4 or treat serialized streams as untrusted and avoid deserializing unverified input.
AI Analysis
Technical Summary
The vulnerability (CVE-2026-43825) affects Apache OpenNLP's libsvm document categorization module prior to version 3.0.0-M4. The SvmDoccatModel.deserialize(InputStream) method uses java.io.ObjectInputStream to deserialize data from an attacker-controlled stream without an ObjectInputFilter, allowing deserialization of arbitrary objects. Since the deserialization occurs before the cast to SvmDoccatModel, any malicious object graph can be fully materialized. If a Java deserialization gadget chain is present in the application's classpath, this can lead to remote code execution. Apache OpenNLP itself does not include known gadget chains, so the primary risk is to downstream applications embedding this module with vulnerable dependencies. The method is public and static, enabling any caller to pass untrusted streams directly.
Potential Impact
The vulnerability enables remote code execution in JVM processes that deserialize SvmDoccatModel instances from untrusted or semi-trusted sources. This can compromise the confidentiality, integrity, and availability of affected systems. The risk depends on the presence of exploitable gadget chains in the runtime environment, which Apache OpenNLP does not provide by default. Therefore, the impact is primarily on downstream applications that include vulnerable transitive dependencies alongside the libsvm module.
Mitigation Recommendations
Users of Apache OpenNLP 3.x should upgrade to version 3.0.0-M4, which addresses this vulnerability. For those unable to upgrade immediately, it is critical to treat all serialized SvmDoccatModel streams as untrusted unless their provenance is verified. Avoid calling SvmDoccatModel.deserialize() on streams from end users or third-party sources without integrity checks. No official patch or fix advisory is provided in the input data; therefore, patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-43825: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache OpenNLP :: Core :: ML :: LibSVM
Description
Apache OpenNLP versions before 3.0.0-M4 in the libsvm document categorization module contain a deserialization vulnerability in the SvmDoccatModel.deserialize(InputStream) method. This method deserializes data from an untrusted stream without applying an ObjectInputFilter, allowing arbitrary code execution if a malicious payload is provided. The vulnerability arises because the deserialization process materializes all classes referenced in the stream before casting to SvmDoccatModel. Apache OpenNLP does not ship known gadget chains, so the risk is mainly to downstream applications that include vulnerable dependencies. Users should upgrade to version 3.0.0-M4 or treat serialized streams as untrusted and avoid deserializing unverified input.
Affected software
pkg:maven/Apache Software Foundation/org.apache.opennlp:opennlp-ml-libsvmRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability (CVE-2026-43825) affects Apache OpenNLP's libsvm document categorization module prior to version 3.0.0-M4. The SvmDoccatModel.deserialize(InputStream) method uses java.io.ObjectInputStream to deserialize data from an attacker-controlled stream without an ObjectInputFilter, allowing deserialization of arbitrary objects. Since the deserialization occurs before the cast to SvmDoccatModel, any malicious object graph can be fully materialized. If a Java deserialization gadget chain is present in the application's classpath, this can lead to remote code execution. Apache OpenNLP itself does not include known gadget chains, so the primary risk is to downstream applications embedding this module with vulnerable dependencies. The method is public and static, enabling any caller to pass untrusted streams directly.
Potential Impact
The vulnerability enables remote code execution in JVM processes that deserialize SvmDoccatModel instances from untrusted or semi-trusted sources. This can compromise the confidentiality, integrity, and availability of affected systems. The risk depends on the presence of exploitable gadget chains in the runtime environment, which Apache OpenNLP does not provide by default. Therefore, the impact is primarily on downstream applications that include vulnerable transitive dependencies alongside the libsvm module.
Mitigation Recommendations
Users of Apache OpenNLP 3.x should upgrade to version 3.0.0-M4, which addresses this vulnerability. For those unable to upgrade immediately, it is critical to treat all serialized SvmDoccatModel streams as untrusted unless their provenance is verified. Avoid calling SvmDoccatModel.deserialize() on streams from end users or third-party sources without integrity checks. No official patch or fix advisory is provided in the input data; therefore, patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-05-02T08:57:20.984Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4bdd5a27e9c79719dab256
Added to database: 07/06/2026, 16:52:42 UTC
Last enriched: 07/06/2026, 17:07:42 UTC
Last updated: 07/06/2026, 17:47:15 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.