Apache Dubbo Pre-auth RCE via Java deserialization in the Generic filter
Description
Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments. In addition, the caller also needs to set an RPC attachment specifying that the call is a generic call and how to decode the arguments. The possible values are: - true - raw.return - nativejava - bean - protobuf-json An attacker can control this RPC attachment and set it to nativejava to force the java deserialization of the byte array located in the third argument.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Dubbo prior to 2.6.9 and 2.7.9 allows arbitrary method invocation via generic calls and insecure deserialization.
Vulnerability
Apache Dubbo versions prior to 2.6.9 and 2.7.9 support generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter, which finds the service and method specified in the first arguments of the invocation and uses Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the method name, the second is an array of parameter types, and the third is an array of actual call arguments. An attacker can set an RPC attachment specifying that the call is generic and how to decode the arguments, with possible values such as nativejava, raw.return, bean, protobuf-json, and true. By controlling this attachment and setting it to nativejava, the attacker forces Java deserialization of the byte array in the third argument. [1]
Exploitation
An attacker who can send RPC requests to a Dubbo provider can set the RPC attachment to nativejava, causing the provider to deserialize attacker-controlled byte arrays using Java deserialization. No authentication is required if the service is exposed publicly. The attacker crafts a malicious serialized Java object as the third argument of the $invoke or $invokeAsync call. [1]
Impact
Successful exploitation allows an attacker to execute arbitrary code on the Dubbo provider server, achieving full remote code execution (RCE) with the privileges of the Dubbo process. This leads to complete compromise of the confidentiality, integrity, and availability of the application and its data. [1]
Mitigation
This vulnerability is fixed in Apache Dubbo versions 2.6.9 and 2.7.9, released in 2021. Users of affected versions should upgrade immediately. There are no known workarounds. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date. [1]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dubbo:dubboMaven | >= 2.5.0, < 2.7.10 | 2.7.10 |
com.alibaba:dubboMaven | >= 2.5.0, < 2.6.9 | 2.6.9 |
Affected products
3- ghsa-coords2 versions
>= 2.5.0, < 2.6.9+ 1 more
- (no CPE)range: >= 2.5.0, < 2.6.9
- (no CPE)range: >= 2.5.0, < 2.7.10
- Apache Software Foundation/Apache Dubbov5Range: Apache Dubbo 2.7.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-5mc7-m686-p6jgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-30179ghsaADVISORY
- lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3Eghsax_refsource_MISCmailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67@%3Cdev.dubbo.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.