Unsafe Deserialization RCE in Apache Camel camel-infinispan ProtoStream Remote Aggregation Repository

Repository contains a multi-PoC assessment for three Apache Camel 4.18.0 vulnerabilities, not a framework module. Structure is split into per-CVE Java applications under poc/cve-2026-33453-coap, poc/cve-2026-40473-mina, and poc/cve-2026-40858-infinispan; a docker-compose lab that exposes the vulnerable services; and three Python exploit scripts under poc/exploits. README.md and EXPLOITS-REPORT.md document root cause, attack flow, and reproduction steps. Main exploit capabilities: - CVE-2026-33453: exploit_cve_2026_33453_coap.py crafts raw CoAP UDP packets and injects CamelExecCommandExecutable/CamelExecCommandArgs as URI query parameters to override camel-exec behavior on /api/status. It is a direct unauthenticated network RCE PoC and parses CoAP responses to display command output. - CVE-2026-40473: exploit_cve_2026_40473_mina.py targets MINA TCP endpoints, especially raw TCP on 9879, and uses ysoserial-generated gadget chains for unsafe Java deserialization. It includes a callback listener to capture command output via HTTP POST/curl from the victim. The Java helper MinaGadgetGenerator builds MINA-compatible serialized gadget bytes, and MinaTestPayload validates wire compatibility. - CVE-2026-40858: exploit_cve_2026_40858_infinispan.py builds a Hot Rod PUT request to write malicious serialized bytes into an Infinispan cache entry used by Camel aggregation. This is a delayed-trigger exploit: code execution occurs when Camel later deserializes the cached object. It can use ysoserial if available or a demo serialized object otherwise. Repository purpose: to demonstrate exploitability of three claimed Apache Camel 4.18.0 issues in a controlled Docker lab. The Java apps intentionally expose vulnerable routes, while the Python scripts operationalize exploitation over UDP/TCP/cache protocols. The code is coherent, aligned with the documented CVEs, and clearly intended as working proof-of-concept exploit material rather than mere detection.

Repository is a multi-PoC research project for three Apache Camel 4.18.0 vulnerabilities, not a framework module. Structure is split into: (1) README and exploit report documenting root cause and reproduction, (2) three Java/Maven vulnerable demo applications under poc/cve-* with Dockerfiles, (3) docker-compose.yml to launch the lab, and (4) three Python exploit scripts under poc/exploits. The CoAP PoC demonstrates unauthenticated header injection over UDP/5683 by crafting raw CoAP packets with URI query parameters that become Camel headers, overriding camel-exec command settings and returning command output. The MINA PoC demonstrates unsafe Java deserialization over TCP on ports 9877/9878/9879; the most important path is 9879 with allowDefaultCodec=false, where raw IoBuffer data is converted into ObjectInputStream without filtering. Supporting Java utilities generate MINA-compatible serialized payloads and test framing. The Python MINA exploit can use ysoserial gadget chains and starts a local HTTP listener to capture exfiltrated command output via curl from the target. The Infinispan PoC demonstrates cache poisoning against a Camel aggregation repository backed by Infinispan; the Python exploit crafts a Hot Rod PUT request to write a malicious serialized object to a predictable cache key, relying on later deserialization by Camel to trigger execution. Overall, this is a real exploit repository with operational PoCs, local lab infrastructure, and clear network targets: CoAP UDP/5683, MINA TCP/9877-9879, and Infinispan Hot Rod TCP/11222.