CVE-2020-1948
Description
This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Dubbo versions ≤2.7.6 are vulnerable to remote code execution via deserialization of malicious parameters in RPC requests with unrecognized service or method names.
Vulnerability
Overview
CVE-2020-1948 is a remote code execution vulnerability in Apache Dubbo, a high-performance Java RPC framework. The root cause lies in the Hessian deserialization library, which is used as a default deserialization tool. When an attacker sends an RPC request containing an unrecognized service name or method name along with a malicious parameter payload, the deserialization process can trigger arbitrary code execution [1][2].
Exploitation
An attacker can exploit this vulnerability by sending crafted RPC requests to a Dubbo service. The requests do not require valid service or method names; instead, they rely on the deserialization of malicious parameters. No authentication is mentioned as a prerequisite, meaning the attack can be launched from a network-accessible position [1][2].
Impact
Successful exploitation allows an attacker to execute arbitrary code on the Dubbo server. This could lead to full compromise of the affected system, including data theft, service disruption, or further lateral movement within the network [1][2].
Mitigation
The vulnerability affects all Dubbo versions 2.7.6 and earlier, including 2.6.x and 2.5.x (the latter is no longer officially supported). The vendor has released Dubbo version 2.7.7, which fixes the issue. Users are strongly advised to upgrade to 2.7.7 or later. No workarounds have been published [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dubbo:dubboMaven | < 2.7.7 | 2.7.7 |
org.apache.dubbo:dubbo-commonMaven | < 2.7.7 | 2.7.7 |
Affected products
3- Dubbo/Dubbodescription
- ghsa-coords2 versions
< 2.7.7+ 1 more
- (no CPE)range: < 2.7.7
- (no CPE)range: < 2.7.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-whww-v56c-cgv2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-1948ghsaADVISORY
- lists.apache.org/thread.html/rbaa41711b3e7a8cd20e9013737423ddd079ddc12f90180f86e76523c%40%3Csecurity.dubbo.apache.org%3Eghsax_refsource_MISCWEB
- nsfocusglobal.com/apache-dubbo-remote-code-execution-vulnerability-cve-2020-1948-threat-alertghsaWEB
News mentions
0No linked articles in our index yet.