VYPR
Get started
← All advisories
Critical severity9.8NVD Advisory· Published Apr 6, 2017· Updated May 13, 2026

CVE-2016-6809

CVE-2016-6809

Description

Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.tika:tika-coreMaven
< 1.141.14

Patches

1
8a68b5d47420

clean up MatParser

https://github.com/apache/tikatballisonAug 11, 2016via ghsa
commit
2 files changed · +7 2
  • tika-parsers/pom.xml+2 2 modified
    @@ -108,9 +108,9 @@
 
     <!-- Upstream parser libraries -->
     <dependency>
-      <groupId>net.sourceforge.jmatio</groupId>
+      <groupId>org.tallison</groupId>
       <artifactId>jmatio</artifactId>
-      <version>1.0</version>
+      <version>1.2</version>
     </dependency>
     <dependency>
       <groupId>org.apache.james</groupId>
  • tika-parsers/src/main/java/org/apache/tika/parser/mat/MatParser.java+5 0 modified
    @@ -45,6 +45,11 @@
 
 public class MatParser extends AbstractParser {
 
+    static {
+        //make sure that this is set to false
+        MatFileReader.setAllowObjectDeserialization(false);
+    }
+
     public static final String MATLAB_MIME_TYPE =
             "application/x-matlab-data";

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

16

News mentions

0

No linked articles in our index yet.