Critical severityNVD Advisory· Published May 24, 2018· Updated Sep 16, 2024

CVE-2018-8013

Description

In Apache Batik 1.x before 1.10, when deserializing subclass of AbstractDocument, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In Apache Batik before 1.10, deserialization of AbstractDocument subclasses allows arbitrary class instantiation, leading to remote code execution.

Vulnerability

In Apache Batik versions 1.x before 1.10, the deserialization of subclasses of AbstractDocument reads a class name from the input stream and uses it to invoke the no-arg constructor via newInstance(), without proper validation [1][3]. This allows an attacker to instantiate arbitrary classes available on the classpath.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious serialized Batik document and delivering it to a vulnerable application. No authentication or user interaction is required. The attacker simply needs to supply a class name that, when instantiated, triggers malicious side effects or loads additional payloads [4].

Impact

Successful exploitation allows an attacker to instantiate arbitrary Java classes, potentially leading to remote code execution (RCE) with the privileges of the application. This results in a complete compromise of confidentiality, integrity, and availability, as reflected by a CVSS v3 base score of 9.8 (Critical) [4].

Mitigation

The vulnerability is fixed in Apache Batik version 1.10, released on 2018-05-23 [3]. Users should upgrade to Batik 1.10 or later. If upgrading is not immediately possible, avoid deserializing untrusted data with Batik's deserialization routines.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.xmlgraphics:batikMaven	>= 1.0, < 1.10	1.10

Affected products

ghsa-coords
pkg:maven/org.apache.xmlgraphics/batik
Range: >= 1.0, < 1.10
Apache Software Foundation/Apache Batikv5
Range: 1.0 - 1.9.1

Patches

f91125b26a6c

BATIK-1222: Only call DOMImplementation in deserialization

https://github.com/apache/xmlgraphics-batikSimon SteinerMay 9, 2018via ghsa

commit

1 file changed · +7 −3

batik-dom/src/main/java/org/apache/batik/dom/AbstractDocument.java+7 −3 modified

@@ -2729,9 +2729,13 @@ private void readObject(ObjectInputStream s)
             Method m = c.getMethod("getDOMImplementation", (Class[])null);
             implementation = (DOMImplementation)m.invoke(null, (Object[])null);
         } catch (Exception e) {
-            try {
-                implementation = (DOMImplementation)c.getDeclaredConstructor().newInstance();
-            } catch (Exception ex) {
+            if (DOMImplementation.class.isAssignableFrom(c)) {
+                try {
+                    implementation = (DOMImplementation)c.getDeclaredConstructor().newInstance();
+                } catch (Exception ex) {
+                }
+            } else {
+                throw new SecurityException("Trying to create object that is not a DOMImplementation.");
             }
         }
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-25gw-4pcc-45cfghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-8013ghsaADVISORY
security.gentoo.org/glsa/202401-11ghsavendor-advisoryWEB
usn.ubuntu.com/3661-1/mitrevendor-advisory
www.debian.org/security/2018/dsa-4215ghsavendor-advisoryWEB
www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlghsaWEB
www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlghsaWEB
www.securityfocus.com/bid/104252ghsavdb-entryWEB
www.securitytracker.com/id/1040995ghsavdb-entryWEB
github.com/apache/xmlgraphics-batik/commit/f91125b26a6ca2b7a1195f1842360bed03629839ghsaWEB
issues.apache.org/jira/browse/BATIK-1222ghsaWEB
lists.apache.org/thread.html/r9e90b4d1cf6ea87a79bb506541140dfbf4801f4463a7cee08126ee44%40%3Ccommits.xmlgraphics.apache.org%3Eghsamailing-listWEB
lists.apache.org/thread.html/r9e90b4d1cf6ea87a79bb506541140dfbf4801f4463a7cee08126ee44@%3Ccommits.xmlgraphics.apache.org%3EghsaWEB
lists.apache.org/thread.html/rc0a31867796043fbe59113fb654fe8b13309fe04f8935acb8d0fab19%40%3Ccommits.xmlgraphics.apache.org%3Eghsamailing-listWEB
lists.apache.org/thread.html/rc0a31867796043fbe59113fb654fe8b13309fe04f8935acb8d0fab19@%3Ccommits.xmlgraphics.apache.org%3EghsaWEB
lists.debian.org/debian-lts-announce/2018/05/msg00016.htmlghsamailing-listWEB
mail-archives.apache.org/mod_mbox/xmlgraphics-batik-dev/201805.mbox/%3c000701d3f28f$d01860a0$704921e0$@gmail.com%3eghsaWEB
mail-archives.apache.org/mod_mbox/xmlgraphics-batik-dev/201805.mbox/%3c000701d3f28f%24d01860a0%24704921e0%24%40gmail.com%3eghsamailing-listWEB
ubuntu.com/security/CVE-2018-8013ghsaWEB
usn.ubuntu.com/3661-1ghsaWEB
www.oracle.com/security-alerts/cpujul2020.htmlghsaWEB
www.oracle.com/security-alerts/cpuoct2020.htmlghsaWEB
www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlghsaWEB
www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlghsaWEB
www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlghsaWEB
xmlgraphics.apache.org/security.htmlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000