Critical severityNVD Advisory· Published Sep 9, 2021· Updated Aug 4, 2024

Bypass deserialization checks in Apache Dubbo

CVE-2021-37579

Description

The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization. Apache Dubbo 2.7.13, 3.0.2 fixed this issue by quickly fail when any unrecognized request was found.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Dubbo's provider fails to enforce serialization type check in certain cases, allowing attackers to bypass security and trigger unsafe deserialization.

Vulnerability

The vulnerability exists in Apache Dubbo's provider component, where the server checks incoming requests and their serialization type against the configured allowed types. However, an exception in the check logic allows an attacker to bypass this security check when enabled, reaching a deserialization operation using native Java serialization. This affects versions prior to 2.7.13 and 3.0.2 [1].

Exploitation

An attacker can send a crafted request with an unrecognized serialization type that triggers the exception, skipping the security check. The attacker does not need authentication but must be able to send network requests to the Dubbo provider. The exploitation sequence involves sending a malicious serialized payload using native Java serialization, which the provider then deserializes [1].

Impact

Successful exploitation leads to arbitrary code execution via unsafe deserialization of untrusted data. The attacker gains full control over the affected Dubbo provider, potentially compromising the entire application and its data [1].

Mitigation

The issue is fixed in Apache Dubbo versions 2.7.13 and 3.0.2, which quickly fail when any unrecognized request is found. Users should upgrade to these versions or later. The Apache Dubbo project [2] provides the fixed versions. No workarounds are mentioned in the references. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.dubbo:dubboMaven	< 2.7.13	2.7.13
org.apache.dubbo:dubboMaven	>= 3.0.0, < 3.0.2	3.0.2

Affected products

ghsa-coords
pkg:maven/org.apache.dubbo/dubbo
Range: < 2.7.13
Apache Software Foundation/Apache Dubbov5
Range: Apache Dubbo 2.7.x

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-q897-9jxf-jg9rghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-37579ghsaADVISORY
lists.apache.org/thread.html/r898afa109cdbb4b79724308648ff0718152ebe1d3d6dfc7202d958bc%40%3Cdev.dubbo.apache.org%3Eghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000