Dubbo Zookeeper does not check serialization id
Description
Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Dubbo servers before 2.7.8/2.6.9 allow an attacker to force the use of a weak deserializer, enabling remote code execution.
Vulnerability
In Apache Dubbo versions before 2.7.8 or 2.6.9, a deserialization vulnerability exists in the provider server's handling of serialization protocol selection. The server normally communicates a serialization ID to clients to indicate which protocol to use. However, an attacker can tamper with byte preamble flags to override this instruction and cause the server to use a different serialization protocol than intended. If a weak deserializer such as Kryo or FST is present in the classpath (e.g., via a transitive dependency), the attacker can force the server to deserialize incoming data using that weaker protocol. The vulnerability affects all Dubbo versions prior to 2.7.8 and 2.6.9 [1].
Exploitation
The attacker does not need authentication, and exploitation is remote. The attack requires that a weak deserializer like Kryo or FST is available on the server's classpath. The attacker sends a crafted network request to the Dubbo provider with manipulated byte preamble flags that set a different serialization ID than what the server advertised. This makes the provider deserialize the payload using the chosen weak protocol. The attacker then includes a malicious serialized object designed to trigger arbitrary code execution during deserialization [1].
Impact
Successful exploitation leads to remote code execution (RCE) on the Dubbo provider server. The attacker gains full control over the server process with the privileges of the Dubbo application. This can result in complete compromise of confidentiality, integrity, and availability of the affected system [1].
Mitigation
Users should upgrade Apache Dubbo to version 2.7.8 or 2.6.9, or later, which fix the issue by ensuring the provider enforces its own serialization ID and does not accept an attacker-supplied one. If upgrading is not immediately possible, ensure that weak deserializers (such as Kryo and FST) are not on the classpath of the Dubbo provider. No workaround is otherwise available. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dubbo:dubboMaven | >= 2.5.0, < 2.7.8 | 2.7.8 |
com.alibaba:dubboMaven | >= 2.5.0, < 2.6.9 | 2.6.9 |
Affected products
3- ghsa-coords2 versions
>= 2.5.0, < 2.6.9+ 1 more
- (no CPE)range: >= 2.5.0, < 2.6.9
- (no CPE)range: >= 2.5.0, < 2.7.8
- Apache Software Foundation/Apache Dubbov5Range: Apache Dubbo 2.7.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.