Emmanuel Lécharny

**Name of the Vulnerable Software and Affected Versions** Apache MINA versions 2.0.X through 2.2.X **Description** The ObjectSerializationDecoder in Apache MINA lacks necessary security checks when processing incoming serialized data using Java’s native deserialization protocol. This allows attackers to send crafted malicious serialized data, potentially leading to remote code execution (RCE). The `IoBuffer#getObject()` method is a key component in the exploitation chain, particularly when used with the `ObjectSerializationCodecFactory` class. **Recommendations** Upgrade to versions 2.0.27, 2.1.10, or 2.2.4. Additionally, explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance using one of the following methods: `accept(ClassNameMatcher classNameMatcher)`, `accept(Pattern pattern)`, or `accept(String... patterns)`.