{
  "repository": "https://github.com/apache/opennlp",
  "commit_source": "git_rev_parse",
  "commit_sha": "3cf42d4a0145cefd9dd06138873a91312052c767",
  "submitted_target": {
    "target_kind": "git_commit",
    "commit_sha": "3cb7232ecaccc788e32bf76b7c031fb166840da5",
    "version": "3.0.0-SNAPSHOT (pre-3.0.0-M4)",
    "ref": "3cb7232e",
    "git_describe": "opennlp-2.3.2-358-g3cb7232e",
    "display": "apache/opennlp@3cb7232e (parent of fix commit 3cf42d4a^; pre-3.0.0-M4; vulnerable to the original CVE-2026-43825 RCE)"
  },
  "variant_target": {
    "target_kind": "git_commit",
    "commit_sha": "3cf42d4a0145cefd9dd06138873a91312052c767",
    "version": "3.0.0-M4",
    "ref": "3cf42d4a",
    "git_describe": "opennlp-2.3.2-359-g3cf42d4a",
    "release_tag": "opennlp-3.0.0-M4",
    "commit_subject": "OPENNLP-1823: Harden SvmDoccatModel.deserialize() with ObjectInputFilter and resource limits (#1029)",
    "display": "apache/opennlp@3cf42d4a (tag opennlp-3.0.0-M4; fixed for RCE; the denial-of-service bypass reproduces on this commit)"
  },
  "resolution_method": "Resolved via git rev-parse on the prepared project-cache mirror of github.com/apache/opennlp. The fix commit 3cf42d4a is contained in tag opennlp-3.0.0-M4 (verified via 'git tag --contains'). The vulnerable commit 3cb7232e is the parent of the fix (3cf42d4a^) and is NOT contained in opennlp-3.0.0-M4. Both commits were built from isolated git worktrees (bundle/vuln_variant/wt-vuln and wt-fixed); the project-cache repo HEAD was left unchanged at 3cf42d4a.",
  "module": "opennlp-core/opennlp-ml/opennlp-ml-libsvm",
  "build_jar_fixed": "bundle/vuln_variant/wt-fixed/opennlp-core/opennlp-ml/opennlp-ml-libsvm/target/opennlp-ml-libsvm-3.0.0-SNAPSHOT.jar",
  "build_jar_vulnerable": "bundle/vuln_variant/wt-vuln/opennlp-core/opennlp-ml/opennlp-ml-libsvm/target/opennlp-ml-libsvm-3.0.0-SNAPSHOT.jar",
  "jar_provenance_verification": "Built SvmDoccatModel.class string scan: fixed jar has 10 'ObjectInputFilter' strings + ALLOWED_CLASSES present; vulnerable jar has 0 'ObjectInputFilter' strings. Source filter-ref counts: vuln=0, fixed=11. Runtime behavior matches (fixed rejects foreign gadget; vulnerable executes it).",
  "notes": "Top-level commit_sha is the variant_target (fixed) commit on which the bypass reproduces. See bundle/logs/vuln_variant/fixed_version.txt and vulnerable_version.txt."
}
