High severityNVD Advisory· Published Sep 7, 2021· Updated Aug 4, 2024

Unprotected yaml deserialization cause RCE

CVE-2021-36162

Description

Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). These rules are loaded into the configuration center (eg: Zookeeper, Nacos, ...) and retrieved by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers will use SnakeYAML library to load the rules which by default will enable calling arbitrary constructors. An attacker with access to the configuration center he will be able to poison the rule so when retrieved by the consumers, it will get RCE on all of them. This was fixed in Dubbo 2.7.13, 3.0.2

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Dubbo's YAML rule parsing uses SnakeYAML, allowing arbitrary constructors; attackers with config center access can achieve RCE. Fixed in 2.7.13, 3.0.2.

Vulnerability

Apache Dubbo implements routing and configuration override rules using YAML, which are stored in a configuration center (e.g., Zookeeper, Nacos). When consumers retrieve these rules, the SnakeYAML library parses them. By default, SnakeYAML enables the invocation of arbitrary constructors, allowing deserialization of arbitrary classes. This vulnerability affects Dubbo versions prior to 2.7.13 and 3.0.2. An attacker must have write access to the configuration center to inject a malicious rule [1].

Exploitation

An attacker with access to the configuration center can poison a YAML rule by embedding a SnakeYAML gadget chain. When a consumer fetches and parses the poisoned rule, SnakeYAML instantiates the specified classes, leading to remote code execution (RCE). No user interaction is required beyond the normal rule retrieval process [1].

Impact

Successful exploitation allows remote code execution on all Dubbo consumers that load the malicious rule. The attacker gains full control over the affected consumer processes, potentially leading to data exfiltration, lateral movement, or further compromise [1].

Mitigation

Apache Dubbo fixed this vulnerability in versions 2.7.13 and 3.0.2. Users should upgrade to these versions or later. As a workaround, restrict write access to the configuration center to trusted entities only. No other mitigations are provided in the available references [1].

References

NVD - CVE-2021-36162

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.dubbo:dubboMaven	< 2.7.13	2.7.13
org.apache.dubbo:dubboMaven	>= 3.0.0, < 3.0.2	3.0.2

Affected products

ghsa-coords
pkg:maven/org.apache.dubbo/dubbo
Range: < 2.7.13
Apache Software Foundation/Apache Dubbov5
Range: Apache Dubbo 2.7.x

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-r577-4hq7-73qhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-36162ghsaADVISORY
lists.apache.org/thread.html/rfa351115a459e214b99ffcc52c35f33359f3370c547d9c6ba1a60037%40%3Cdev.dubbo.apache.org%3Eghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000