{
  "verdict": "confirmed_bypass",
  "variant_outcome": "confirmed",
  "bypass_confirmed": true,
  "bypass_type": "denial_of_service_memory_exhaustion",
  "bypass_summary": "On the FIXED build (opennlp-3.0.0-M4, commit 3cf42d4a), SvmDoccatModel.deserialize() still reaches an unsafe deserialisation outcome: the ObjectInputFilter allow-lists HashMap + String, allows any primitive array up to maxArrayLength (10,000,000), and bounds per-array length + total references but NOT total memory. A HashMap<String,double[8_000_000]> payload is entirely allow-listed and within all numeric limits, yet deserialisation allocates n*64MiB during ObjectInputStream.readObject()->HashMap.readObject()->readArray and throws OutOfMemoryError on a constrained heap (before the cast). The filter does NOT reject the stream (large-heap run -> ClassCastException after full allocation, never InvalidClassException).",
  "reproduces_on_fixed": true,
  "reproduces_on_vulnerable": true,
  "fixed_commit_tested": "3cf42d4a0145cefd9dd06138873a91312052c767",
  "fixed_release_tested": "opennlp-3.0.0-M4",
  "vulnerable_commit_tested": "3cb7232ecaccc788e32bf76b7c031fb166840da5",
  "rce_bypass_found": false,
  "rce_bypass_rule_out_reason": "Every allow-listed class (OpenNLP doccat types; zlibsvm de.hhn.mi.* SvmConfigurationImpl/SvmModelImpl/SvmMetaInformationImpl/SvmFeatureImpl/SvmClassLabelImpl/NativeSvmModelWrapper; libsvm svm_model/svm_node/svm_parameter; JDK String/Number/Integer/Double/Boolean/Enum/HashMap/Map$Entry) is a plain data/record/enum/struct type with NO exploitable readObject/readResolve/writeReplace hook (verified via javap bytecode inspection). No gadget chain can be built from allow-listed classes alone. Control run confirms a foreign MaliciousGadget stream is rejected with InvalidClassException (filter status: REJECTED) on the fixed build and no gadget code executes.",
  "fix_primary_goal_holds": true,
  "fix_primary_goal_evidence": "fixed_rce run: feeding a MaliciousGadget stream to the fixed SvmDoccatModel.deserialize() throws InvalidClassException: filter status: REJECTED and no marker file is created (gadget readObject() does NOT run). vuln_rce run: the same stream executes the gadget (marker created) on the vulnerable build. Thus the fix closes the original CVE's RCE vector; only the DoS bypass evades it.",
  "impact_class": "denial_of_service",
  "original_claimed_impact_class": "code_execution",
  "impact_parity": "partial",
  "impact_parity_note": "Same sink (SvmDoccatModel.deserialize -> ObjectInputStream.readObject), same trust boundary (attacker-controlled serialized stream), same entry point, and a bypass of the fix's stated resource-limit protection. Lesser impact class: denial_of_service (memory exhaustion) vs the parent CVE's code_execution. The parent CVE's RCE mechanism is NOT bypassed.",
  "same_sink": true,
  "same_trust_boundary": true,
  "same_entry_point": true,
  "validated_surface": "library_api",
  "evidence_scope": "realistic_harness",
  "exploitability_confidence": "high",
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": null,
  "key_evidence": {
    "fixed_oom_small": "bundle/logs/vuln_variant/fixed_oom_small.log (OutOfMemoryError during ObjectInputStream.readArray/HashMap.readObject called from fixed SvmDoccatModel.deserialize:271)",
    "fixed_oom_large": "bundle/logs/vuln_variant/fixed_oom_large.log (ClassCastException at SvmDoccatModel.deserialize:271 after full 256MiB allocation -> filter ALLOWED the payload, no InvalidClassException)",
    "fixed_rce": "bundle/logs/vuln_variant/fixed_rce.log (InvalidClassException: filter status: REJECTED -> fix blocks foreign-gadget RCE)",
    "vuln_rce": "bundle/logs/vuln_variant/vuln_rce.log + bundle/logs/vuln_variant/gadget_executed_vuln_variant.txt (GADGET EXECUTED + marker -> RCE baseline on vulnerable build)",
    "fixed_version": "bundle/logs/vuln_variant/fixed_version.txt",
    "vulnerable_version": "bundle/logs/vuln_variant/vulnerable_version.txt"
  },
  "environment": {
    "jdk": "OpenJDK 21.0.11",
    "maven": "3.9.12",
    "os": "Ubuntu 26.04 (Linux)",
    "module": "org.apache.opennlp:opennlp-ml-libsvm"
  },
  "idempotency": "reproduction_steps.sh run 3x consecutively, all exit 0 with identical verdicts (BYPASS_CONFIRMED=yes, FIX_RCE_BLOCKED=yes, VULN_RCE_WORKS=yes); reuses worktrees/jars/classpath/payload",
  "pipeline_safety": "Project-cache repo HEAD unchanged at 3cf42d4a; testing used isolated git worktrees under bundle/vuln_variant/ (no checkout of the cache repo)"
}
