Dubbo Hessian cause RCE when parse error
Description
A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote code execution vulnerability in Apache Dubbo's hessian-lite deserialization when logging unexpected exceptions.
Vulnerability
A deserialization vulnerability exists in the hessian-lite library (version 3.2.11 and earlier) used by Apache Dubbo [1]. When a Hessian deserialization operation catches an unexpected exception, the library logs detailed information about the exception in a way that can be exploited to achieve remote code execution. The affected Apache Dubbo versions are: 2.6.x prior to 2.6.12, 2.7.x prior to 2.7.15, and 3.0.x prior to 3.0.5 [1].
Exploitation
An attacker needs to be able to send crafted serialized data to a Dubbo service that uses the default Hessian2 protocol. The exploit triggers an unexpected exception during deserialization, causing the Hessian library to log specific information that is then interpreted in an unsafe manner, leading to command execution [1]. No authentication is mentioned as a prerequisite in the description, making the attack potentially unauthenticated over the network.
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the server running the vulnerable Dubbo instance. This leads to a full compromise of the confidentiality, integrity, and availability of the affected system [1].
Mitigation
Apache Dubbo users should upgrade to the fixed versions: 2.6.12, 2.7.15, or 3.0.5 (or later) for the respective branches [1]. No workaround or EOL status is mentioned in the available reference [1]. The CVE is not listed in the known exploited vulnerabilities (KEV) catalog as per the reference.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dubbo:dubboMaven | >= 2.6.0, < 2.6.12 | 2.6.12 |
org.apache.dubbo:dubboMaven | >= 2.7.0, < 2.7.15 | 2.7.15 |
org.apache.dubbo:dubboMaven | >= 3.0.0, < 3.0.5 | 3.0.5 |
Affected products
2- Apache Software Foundation/Apache Dubbov5Range: Apache Dubbo 2.6.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-vp5x-3v8r-qprwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-43297ghsaADVISORY
- lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlwwghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.