Regular expression Denial of Service in MooTools
Description
Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the invoke handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with PojoUtils.realize which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, PojoUtils.realize is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Dubbo versions prior to 2.6.10 and 2.7.10 allow unauthenticated remote code execution via the Telnet handler's invoke method and unsafe PojoUtils.realize processing.
Vulnerability
Analysis
CVE-2021-32824 is a pre-authentication remote code execution vulnerability in Apache Dubbo, a Java-based RPC framework. The root cause lies in the Telnet handler, which is accessible through the main Dubbo service port without any authentication [1]. This handler exposes an invoke method that uses a safe version of FastJson to parse call arguments, but the resulting list is subsequently processed by PojoUtils.realize. Unlike FastJson, which is protected by a default blocklist, PojoUtils.realize has no such restrictions and can be abused to instantiate arbitrary classes and invoke their setter methods, leading to arbitrary code execution [2].
Exploitation
The attack surface is the unprotected Telnet handler on the Dubbo main service port. An attacker with network access to this port can connect to the Telnet interface and call the invoke method with crafted arguments. No authentication is required. The exploit leverages the unsafe deserialization behavior of PojoUtils.realize to construct malicious objects and execute system commands [1]. The official advisory notes that while FastJson is properly hardened, the downstream processing of the deserialized list via PojoUtils.realize is where the security bypass occurs [2].
Impact
Successful exploitation allows an unauthenticated remote attacker to achieve remote code execution on the Dubbo provider server. This can lead to full compromise of the affected service, including data theft, service disruption, and lateral movement within the network. The vulnerability affects all Dubbo versions prior to 2.6.10 and 2.7.10 [1][2].
Mitigation
The Apache Dubbo project has released patched versions 2.6.10 and 2.7.10 that fix this vulnerability. Users are strongly advised to upgrade immediately. There is no mention of a workaround for this specific issue; access control to the Telnet port should be restricted as a general security measure [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dubbo:dubbo-parentMaven | < 2.6.10 | 2.6.10 |
org.apache.dubbo:dubbo-parentMaven | >= 2.7.0, < 2.7.10 | 2.7.10 |
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.