This vulnerability in Apache MINA arises from improper override of ObjectInputStream.resolveProxyClass, allowing a proxy class filter bypass when deserializing streams containing TC_PROXYCLASSDESC markers. The default JDK implementation loads proxy interfaces without enforcing the accepted classes list, enabling attackers to bypass restrictions. Additionally, deserialization of allow-listed classes triggers their static initializers before instance creation, which can cause unintended side effects. Both issues have been fully addressed by Apache, but no specific patch or version information is provided in the advisory.

Successful exploitation could allow an attacker to bypass class acceptance filters during deserialization and trigger static initializers of allow-listed classes, potentially leading to arbitrary code execution or other side effects. The CVSS score of 9.8 indicates a critical impact with network attack vector, no privileges required, and no user interaction needed, affecting confidentiality, integrity, and availability.

The vendor advisory states that both issues have been fully addressed. However, no explicit patch or updated version information is provided. Users should consult the official Apache MINA project resources or security advisories for the latest patched versions or updates. Until confirmed, patch status is not yet confirmed — check the vendor advisory for current remediation guidance.