Volerion logoVolerion
Volerion logoVolerion

Apache Camel Mina Component Unsafe Deserialization Vulnerability in Type Converter

Vulnerability

A vulnerability exists in the Apache Camel Mina component, specifically in the MinaConverter.toObjectInput(IoBuffer) type converter. This converter improperly wraps an IoBuffer in a java.io.ObjectInputStream without implementing any ObjectInputFilter or class-loading restrictions. As a result, when a Camel route utilizes camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput, an attacker can send a crafted serialized Java object over the network to the MINA consumer port. This exploitation can lead to arbitrary code execution within the application's context during the deserialization process.

Impact

Exploitation of this vulnerability allows for arbitrary code execution in the context of the application receiving the crafted serialized object.

Remediation

Users are advised to upgrade to Apache Camel version 4.20.0, 4.14.6 (for those on the 4.14.x LTS release stream), or 4.18.2 (for those on the 4.18.x release stream).

Added: Apr 27, 2026, 9:34 AM
Updated: Apr 27, 2026, 9:34 AM

Vulnerability Rating

Custom Algorithm
spread
5.4
impact
7.5
exploitability
4.1
remediation
7.7
relevance
6.8
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.