bypass of CVE-2021-25640
Description
bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Dubbo before 2.6.12 and 2.7.15 allow open redirect or SSRF due to bypass of host whitelist in parseURL method.
CVE-2022-24969 is a bypass of CVE-2021-25640 in Apache Dubbo. The parseURL method fails to properly validate hostnames, allowing attackers to bypass the whitelist check. This affects Dubbo versions prior to 2.6.12 and 2.7.15. [1][2]
Exploitation requires an attacker to craft a malicious URL that passes through the parseURL method. The attack can be performed remotely without authentication, as Dubbo's URL handling is central to its RPC communication. The whitelist was intended to prevent SSRF and open redirect, but the bypass circumvents it. [1][3]
Impact includes potential open redirect to malicious sites or server-side request forgery (SSRF), enabling an attacker to make the server send requests to internal resources. This can lead to information disclosure or further compromise. [2][3]
Mitigation: Upgrade to Apache Dubbo 2.6.12 or 2.7.15 or later. No workarounds are documented. The vulnerability is related to CVE-2021-25640 which was partially fixed but this bypass shows incomplete patching. [2]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dubbo:dubboMaven | >= 2.5.0, < 2.7.15 | 2.7.15 |
com.alibaba:dubboMaven | >= 2.5.0, < 2.6.12 | 2.6.12 |
Affected products
3- ghsa-coords2 versions
>= 2.5.0, < 2.6.12+ 1 more
- (no CPE)range: >= 2.5.0, < 2.6.12
- (no CPE)range: >= 2.5.0, < 2.7.15
- Apache Software Foundation/Apache Dubbov5Range: Apache Dubbo 2.7.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-gm48-83x4-84jgghsaADVISORY
- github.com/advisories/GHSA-gw4j-4229-q4pxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25640ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24969ghsaADVISORY
- lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgrghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.