{"id":59454,"date":"2026-06-03T05:47:56","date_gmt":"2026-06-03T05:47:56","guid":{"rendered":"https:\/\/zero.redgem.net\/?p=59454"},"modified":"2026-06-03T05:47:56","modified_gmt":"2026-06-03T05:47:56","slug":"apache-mina-critical-deserialization-allow-list-bypass-via-resolveproxyclass-zdres-232","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=59454","title":{"rendered":"Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass – ZDRES-232_CVE-2026-47065"},"content":{"rendered":"

{“lastseen”:””,”description”:”ZDRES-232: resolveProxyClass Not Overridden – acceptMatchers Filter Bypass via java.lang.reflect.Proxy\\n\\n\\nAssessment: Fully addressed.\\n\\n\\nWhen the serialised stream contains a TC_PROXYCLASSDESC (the marker \\nfor a java.lang.reflect.Proxy ), JDK\u2019s ObjectInputStream.readProxyDesc()\\n is\\ndispatched. JDK then calls the default \\nObjectInputStream.resolveProxyClass(interfaces) implementation, which \\nperforms Class.forName(intf, false, latestUserDefinedLoader()) for EACH \\ninterface name and constructs the proxy class \u00e2\u20ac\u201d bypassing the accepted\\n classes list .\\n\\n\\nZDRES-233: Class.forName(name, initialize=true, classLoader) in \\nreadClassDescriptor Triggers Static Initialiser of Allow-Listed Classes\\n\\n\\nAssessment: Fully addressed.\\n\\n\\nFor ANY class on the allow-list, deserialising a stream that names it triggers the class\u2019s \\n (static initialiser) BEFORE any instance is constructed. This means an \\nattacker who supplies a class name on the allow-list (e.g., the \\ndeveloper wrote accept(\u201ccom.myapp.*\\”) , attacker supplies \\ncom.myapp.SomeClass ) causes \\u003cclinit\\u003e of SomeClass \u00e2\u20ac\u201d and many \\nreal-world classes have side-effecting static initialisers\\n\\n\\nBoth issues have been fixed.”,”published”:”2026-06-03T09:39:41.629Z”,”modified”:”2026-06-03T09:39:41.629Z”,”type”:”cve”,”title”:”Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass – ZDRES-232″,”source”:”apache”,”references”:”https:\/\/lists.apache.org\/thread\/y7xj1bl8qo47p9bktb11hg5v6k1d4dyj”,”id”:”CVE-2026-47065″,”bulletinFamily”:””,”cwe”:[“CWE-502″],”cvelist”:null,”sourceData”:”Apache Software Foundation Apache MINA 2.2.0\\nApache Software Foundation Apache MINA 2.1.0\\nApache Software Foundation Apache MINA 2.0.0″,”sourceHref”:””,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Apache MINA”,”version”:”2.2.0, 2.1.0, 2.0.0″,”vendor”:”Apache Software Foundation”,”ai_description”:”Deserialization allow-list bypass via resolveProxyClass in Apache MINA, allowing an attacker to trigger static initializers of allow-listed classes”,”ai_severity”:”Critical”,”ai_vendor”:”Apache Software Foundation”,”ai_product”:”Apache MINA”,”ai_version”:”2.2.0, 2.1.0, 2.0.0″,”ai_score”:9.8}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:””,”description”:”ZDRES-232: resolveProxyClass Not Overridden – acceptMatchers Filter Bypass via java.lang.reflect.Proxy\\n\\n\\nAssessment: Fully addressed.\\n\\n\\nWhen the serialised stream contains a TC_PROXYCLASSDESC (the marker \\nfor a java.lang.reflect.Proxy ), JDK\u2019s…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[9,6,8,35,12,13,7,11,5],"class_list":["post-59454","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\nApache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232_CVE-2026-47065 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=59454\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232_CVE-2026-47065 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:””,”description”:”ZDRES-232: resolveProxyClass Not Overridden – acceptMatchers Filter Bypass via java.lang.reflect.ProxynnnAssessment: Fully addressed.nnnWhen the serialised stream contains a TC_PROXYCLASSDESC (the marker nfor a java.lang.reflect.Proxy ), JDK\u2019s...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=59454\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-03T05:47:56+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=59454#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=59454\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass – ZDRES-232_CVE-2026-47065\",\"datePublished\":\"2026-06-03T05:47:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=59454\"},\"wordCount\":350,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.8\",\"exploit\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_cve\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=59454#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=59454\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=59454\",\"name\":\"Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232_CVE-2026-47065 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-06-03T05:47:56+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=59454#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=59454\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=59454#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass – ZDRES-232_CVE-2026-47065\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232_CVE-2026-47065 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=59454","og_locale":"en_US","og_type":"article","og_title":"Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232_CVE-2026-47065 - zero redgem","og_description":"{“lastseen”:””,”description”:”ZDRES-232: resolveProxyClass Not Overridden – acceptMatchers Filter Bypass via java.lang.reflect.ProxynnnAssessment: Fully addressed.nnnWhen the serialised stream contains a TC_PROXYCLASSDESC (the marker nfor a java.lang.reflect.Proxy ), JDK\u2019s...","og_url":"https:\/\/zero.redgem.net\/?p=59454","og_site_name":"zero redgem","article_published_time":"2026-06-03T05:47:56+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=59454#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=59454"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass – ZDRES-232_CVE-2026-47065","datePublished":"2026-06-03T05:47:56+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=59454"},"wordCount":350,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.8","exploit","news","Security","tapic","Vulnerability"],"articleSection":["category_cve"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=59454#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=59454","url":"https:\/\/zero.redgem.net\/?p=59454","name":"Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232_CVE-2026-47065 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-06-03T05:47:56+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=59454#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=59454"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=59454#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass – ZDRES-232_CVE-2026-47065"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/59454","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=59454"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/59454\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=59454"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=59454"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=59454"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}