CVE-2026-43825: Apache OpenNLP SvmDoccatModel unsafe deserialization
CVE-2026-43825 is verified against apache/opennlp · github affected versions: 3.0.0-M1 before 3.0.0-M4 (only on 3.x line; introduced in OPENNLP-1808) fixed version: 3.0.0-M4 vulnerability class: Deserialization This high reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00279.
pruva-verify REPRO-2026-00279 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00279/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh Apache OpenNLP 3.x before 3.0.0-M4 contains an unsafe deserialization path in SvmDoccatModel.deserialize(InputStream). The method uses ObjectInputStream.readObject() on attacker-controlled serialized data before any filtering or validation, allowing gadget-chain execution on the consumer's classpath. The issue is in org.apache.opennlp:opennlp-ml-libsvm and is fixed in 3.0.0-M4 with ObjectInputFilter and resource limits.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.