Critical severityNVD Advisory· Published May 29, 2021· Updated Aug 3, 2024

Apache Dubbo RCE on customers via Script route poisoning (Nashorn script injection)

CVE-2021-30181

Description

Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Dubbo Script routing uses ScriptEngine to evaluate user-provided rules, enabling arbitrary code execution in versions prior to 2.6.9 and 2.7.9.

Vulnerability

Apache Dubbo versions prior to 2.6.9 and 2.7.9 include a Script routing feature that uses the Java ScriptEngine to parse and execute user-provided routing rules. When a request is made, these rules are evaluated without proper sandboxing, allowing arbitrary code execution. The vulnerability exists in the script routing functionality which is enabled by default [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted request containing a malicious script rule. No authentication is required, as the script rules are supplied as part of the request. The ScriptEngine then executes the attacker-controlled script in the context of the Dubbo server [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the Dubbo server process. This can lead to full system compromise, including data exfiltration, installation of malware, or lateral movement within the network [1].

Mitigation

Upgrade to Apache Dubbo version 2.6.9 or 2.7.9, which fix the issue by removing support for script routing or adding proper sandboxing. As of the publication date, no workaround is available for unpatched versions [1]. This CVE is not listed in the known exploited vulnerabilities (KEV) catalog.

References

NVD - CVE-2021-30181

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.alibaba:dubboMaven	>= 2.5.0, < 2.6.9	2.6.9
org.apache.dubbo:dubboMaven	>= 2.5.0, < 2.7.10	2.7.10

Affected products

ghsa-coords2 versions
pkg:maven/com.alibaba/dubbo pkg:maven/org.apache.dubbo/dubbo
>= 2.5.0, < 2.6.9+ 1 more
- (no CPE)range: >= 2.5.0, < 2.6.9
- (no CPE)range: >= 2.5.0, < 2.7.10
Apache Software Foundation/Apache Dubbov5
Range: Apache Dubbo 2.7.x

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-qmfc-6www-fjqwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-30181ghsaADVISORY
lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3Eghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.003
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000