Unsafe deserialization in providers using the Hessian protocol
Description
In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directly to a HessianSkeleton: New HessianSkeleton are created without any configuration of the serialization factory and therefore without applying the dubbo properties for applying allowed or blocked type lists. In addition, the generic service is always exposed and therefore attackers do not need to figure out a valid service/method name pair. This is fixed in 2.7.13, 2.6.10.1
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Dubbo Hessian protocol deserialization vulnerability allows unauthenticated remote code execution; fixed in 2.7.13 and 2.6.10.1.
Vulnerability
The vulnerability resides in Apache Dubbo's Hessian protocol implementation. The Hessian protocol passes the body of a POST request directly to a HessianSkeleton without any configuration of the serialization factory, thus failing to apply allowed or blocked type lists. Additionally, the generic service is always exposed, so attackers do not need to know a valid service/method name pair. Affected versions are before 2.7.13 and 2.6.10.1 [1].
Exploitation
An unauthenticated attacker can send a crafted POST request to the Dubbo server using the Hessian protocol. Because the generic service is always exposed, no prior knowledge of valid service endpoints is required. The attacker can exploit deserialization by providing malicious serialized data, leading to remote code execution [1].
Impact
Successful exploitation allows remote code execution on the Dubbo server. This results in full compromise of the affected system, including loss of confidentiality, integrity, and availability [1].
Mitigation
Fixed in Apache Dubbo versions 2.7.13 and 2.6.10.1 [3][4]. Users should upgrade to these or later versions. No workarounds are mentioned in the available references [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dubbo:dubboMaven | >= 2.7.0, < 2.7.13 | 2.7.13 |
org.apache.dubbo:dubboMaven | < 2.6.10.1 | 2.6.10.1 |
Affected products
2- Apache Software Foundation/Apache Dubbov5Range: Apache Dubbo 2.7.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-cpx9-4rwv-486vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-36163ghsaADVISORY
- github.com/apache/dubbo/pull/8238ghsaWEB
- github.com/apache/dubbo/releases/tag/dubbo-2.6.10.1ghsaWEB
- github.com/apache/dubbo/releases/tag/dubbo-2.7.13ghsaWEB
- lists.apache.org/thread.html/r8d0adc057bb15a37199502cc366f4b1164c9c536ce28e4defdb428c0%40%3Cdev.dubbo.apache.org%3Eghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.