fix(deps): update dependency org.apache.mina:mina-core to v2.2.7 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
org.apache.mina:mina-core (source)	2.2.5 → 2.2.7

---

Apache MINA Vulnerable to Deserialization of Untrusted Data (CVE-2024-52046 Incomplete Fix)

CVE-2026-41409 / GHSA-f2wh-grmh-r6jm

More information

Details

The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.

Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5.

The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier.

Affected are applications using Apache MINA that call IoBuffer.getObject().

Applications using Apache MINA are advised to upgrade

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-41409
• https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9
• https://github.com/advisories/GHSA-76h9-2vwh-w278
• https://github.com/advisories/GHSA-f2wh-grmh-r6jm

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41409 Incomplete Fix)

CVE-2026-42778 / GHSA-995c-6rp3-4m4x

More information

Details

The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:

The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.

Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6.

The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier.

Affected are applications using Apache MINA that call IoBuffer.getObject().

Applications using Apache MINA are advised to upgrade.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-42778
• https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0
• https://github.com/advisories/GHSA-76h9-2vwh-w278
• https://github.com/advisories/GHSA-f2wh-grmh-r6jm
• https://github.com/advisories/GHSA-995c-6rp3-4m4x

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41635 Incomplete Fix)

CVE-2026-42779 / GHSA-vf5j-865m-mq7c

More information

Details

The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:

Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.

The fix checks if the class is present in the accepted class filter before calling Class.forName().

Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6.

The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier.

Affected are applications using Apache MINA that call IoBuffer.getObject().

Applications using Apache MINA are advised to upgrade.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-42779
• https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0
• https://github.com/advisories/GHSA-8297-v2rf-2p32
• https://github.com/advisories/GHSA-vf5j-865m-mq7c

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Apache MINA vulnerable to Deserialization of Untrusted Data

CVE-2026-41635 / GHSA-8297-v2rf-2p32

More information

Details

Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.

The fix checks if the class is present in the accepted class filter before calling Class.forName(). 

Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5.

The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier.

Affected are applications using Apache MINA that call IoBuffer.getObject().

Applications using Apache MINA are advised to upgrade.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-41635
• https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm
• http://www.openwall.com/lists/oss-security/2026/04/27/4
• https://github.com/advisories/GHSA-8297-v2rf-2p32

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

apache/mina (org.apache.mina:mina-core)

v2.2.7

Compare Source

v2.2.6

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[forking-renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: src/bom-testing/build.gradle.kts

Command failed: ./gradlew -Dorg.gradle.jvmargs=-Xms512m -Xmx512m --console=plain --dependency-verification lenient -q --write-verification-metadata sha256,pgp dependencies

FAILURE: Build completed with 2 failures.

1: Task failed with an exception.
-----------
* What went wrong:
A problem occurred configuring project ':build-logic:basics'.
> Could not resolve all dependencies for configuration 'classpath'.
   > Could not resolve project :build-logic-commons:gradle-plugin.
     Required by:
         buildscript of project ':build-logic:basics'
      > Failed to calculate the value of task ':build-logic-commons:gradle-plugin:compileJava' property 'javaCompiler'.
         > Cannot find a Java installation on your machine (Linux 6.1.155 amd64) matching: {languageVersion=21, vendor=any vendor, implementation=vendor-specific, nativeImageCapable=false}. Some toolchain resolvers had internal failures: foojay (Requesting vendor list failed: {
             "result":[],
             "message":"There was an internal error and the pkg cache is currently be restored, please try again later"
           }).

* Try:
> Learn more about toolchain auto-detection and auto-provisioning at https://docs.gradle.org/9.2.1/userguide/toolchains.html#sec:auto_detection.
> Learn more about toolchain repositories at https://docs.gradle.org/9.2.1/userguide/toolchains.html#sub:download_repositories.
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Get more help at https://help.gradle.org.
==============================================================================

2: Task failed with an exception.
-----------
* What went wrong:
A problem occurred configuring project ':build-logic:basics'.
> Could not resolve all dependencies for configuration 'classpath'.
   > Could not resolve project :build-logic-commons:gradle-plugin.
     Required by:
         buildscript of project ':build-logic:basics'
      > Failed to calculate the value of task ':build-logic-commons:gradle-plugin:compileJava' property 'javaCompiler'.
         > Cannot find a Java installation on your machine (Linux 6.1.155 amd64) matching: {languageVersion=21, vendor=any vendor, implementation=vendor-specific, nativeImageCapable=false}. Some toolchain resolvers had internal failures: foojay (Requesting vendor list failed: {
             "result":[],
             "message":"There was an internal error and the pkg cache is currently be restored, please try again later"
           }).

* Try:
> Learn more about toolchain auto-detection and auto-provisioning at https://docs.gradle.org/9.2.1/userguide/toolchains.html#sec:auto_detection.
> Learn more about toolchain repositories at https://docs.gradle.org/9.2.1/userguide/toolchains.html#sub:download_repositories.
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Get more help at https://help.gradle.org.
==============================================================================

BUILD FAILED in 1m 55s