Camel-PQC Vulnerable to Deserialization of Untrusted Data
The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of <keyId>.key files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to java.security.KeyPair is evaluated only after readObject() has already returned, so any readObject() side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application — for example through a path …