Unprotected input value toString cause RCE

Vulnerability

In Apache Dubbo versions 2.7.12 and earlier, multiple components (including timeout and cache handling) format input arguments by calling their toString() method. A specially crafted bean with a malicious toString() implementation can trigger arbitrary code execution during this formatting process [1]. This issue is located in the object deserialization and argument printing routines [2].

Exploitation

An attacker must be able to supply a maliciously customized bean to a Dubbo service endpoint. No authentication is required if the service endpoint is exposed. The attacker crafts a Java bean whose toString() method executes arbitrary commands. When Dubbo's internal formatting logic calls toString() on that bean during argument processing (e.g., when printing timeout or cache-related messages), the malicious code executes [1].

Impact

Successful exploitation allows remote code execution (RCE) on the server hosting the Dubbo service. The attacker gains full control over the JVM process, enabling data exfiltration, lateral movement, or further compromise of the infrastructure [1].

Mitigation

Apache Dubbo 2.7.13 fixes the issue by removing unnecessary toString() calls in affected components (timeout, cache, and other locations) [1]. Users should upgrade to Dubbo 2.7.13 or later immediately. No workarounds are documented; services exposed to untrusted input are at risk until patched [2].