Open Redirect or SSRF vulnerability usage of parseURL
Description
In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Dubbo's parseURL method bypasses host whitelist, enabling open redirect or SSRF in versions before 2.6.9 and 2.7.9.
Vulnerability
A flaw in Apache Dubbo's parseURL method allows an attacker to bypass the host whitelist check, leading to open redirect or server-side request forgery (SSRF). The vulnerability affects all versions prior to 2.6.9 and 2.7.9 [1]. The code path is reachable when Dubbo's URL parsing logic is invoked, typically via RPC calls that include a maliciously crafted URL parameter.
Exploitation
An attacker with network access to a Dubbo service can craft an RPC request containing a specially crafted URL that, when processed by the parseURL method, bypasses the host whitelist validation. The attacker does not require authentication or any special privileges, as the vulnerability is triggered during normal URL parsing operations [1]. No user interaction is needed beyond the service processing the malicious request.
Impact
Successful exploitation can result in an open redirect, where the attacker forces the Dubbo server to redirect a client to an external malicious site, or an SSRF attack, allowing the server to make requests to internal or external resources, potentially leading to further compromise of internal systems. The attacker gains the ability to control the destination of server-side HTTP requests, which can lead to information disclosure or lateral movement within the network [1].
Mitigation
Apache Dubbo has released fixed versions 2.6.9 and 2.7.9 that address this vulnerability. Users are strongly advised to upgrade to these versions or later. The fix ensures that the parseURL method properly validates the host against the whitelist, preventing bypass [1]. No known workarounds exist. This CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dubbo:dubboMaven | >= 2.5.0, < 2.7.10 | 2.7.10 |
com.alibaba:dubboMaven | >= 2.5.0, < 2.6.9 | 2.6.9 |
Affected products
3- ghsa-coords2 versions
>= 2.5.0, < 2.6.9+ 1 more
- (no CPE)range: >= 2.5.0, < 2.6.9
- (no CPE)range: >= 2.5.0, < 2.7.10
- Apache Software Foundation/Apache Dubbov5Range: Apache Dubbo 2.7.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-gw4j-4229-q4pxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25640ghsaADVISORY
- lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77%40%3Cdev.dubbo.apache.org%3Eghsax_refsource_MISCmailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77@%3Cdev.dubbo.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.