Unsafe deserialization in Apache Camel CassandraQL AggregationRepository

Repository purpose: a Spring Boot + Apache Camel proof-of-concept reproducer for an unsafe Java deserialization condition in Camel's LevelDB Aggregation Repository serializer (DefaultLevelDBSerializer uses raw ObjectInputStream without an ObjectInputFilter). The PoC demonstrates how a malicious serialized object placed into the LevelDB backing store can be deserialized during repository reads/recovery, leading to code execution if a gadget chain is available. Structure and key files: - pom.xml: Maven build; uses Spring Boot 3.2.0, Apache Camel 4.18.0-SNAPSHOT, and explicitly includes commons-collections:3.2.1 to ensure a known ysoserial gadget chain is on the classpath. - src/main/java/com/example/Application.java: Spring Boot entry point. - src/main/java/com/example/ExploitController.java: Main PoC logic exposing REST endpoints: - GET /exploit/init: creates /tmp/leveldb-exploit/aggregation.db, starts a LevelDBAggregationRepository named "myrepo", and writes a legitimate exchange under key "test-key". - POST /exploit/inject: accepts a hex string, converts to bytes, opens LevelDB directly (org.iq80.leveldb), and writes the bytes as the value for key "myrepo\0malicious-key" (repositoryName + NUL + correlationKey). This simulates an attacker gaining write access to the LevelDB store. - GET /exploit/trigger: starts the repository, enumerates keys, and calls repo.get(camelContext, key) for each key. This forces unmarshalling/deserialization of the stored bytes; a malicious entry triggers gadget execution. - GET /exploit/cleanup: deletes the LevelDB directory/files. - src/main/java/com/example/LevelDBRoute.java and StringAggregationStrategy.java: illustrative Camel aggregation route/strategy; route is intentionally disabled to avoid LevelDB file locking and keep the PoC manual. - src/main/resources/application.properties: sets server.port=8080. Exploit capabilities: - Writes attacker-controlled serialized bytes into the LevelDB store (via provided HTTP endpoint in this PoC). - Triggers deserialization by invoking LevelDBAggregationRepository.get() over stored keys. - Achieves RCE when a gadget chain is present (the project includes commons-collections 3.2.1; README suggests generating payloads with ysoserial CommonsCollections7). Notes on realism/conditions: - In real deployments, the primary prerequisite is an attacker-controlled write into the LevelDB persistence (filesystem access or another vulnerability). This PoC adds a network-accessible injection endpoint to make the condition easy to reproduce.