VYPR
Critical severityNVD Advisory· Published Oct 18, 2022· Updated May 13, 2025

Apache Dubbo Hession Deserialization Vulnerability Gadgets Bypass

CVE-2022-39198

Description

A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.alibaba:hessian-liteMaven
< 3.2.133.2.13
org.apache.dubbo:dubboMaven
>= 2.7.0, < 2.7.182.7.18
org.apache.dubbo:dubboMaven
>= 3.0.0, < 3.0.123.0.12
org.apache.dubbo:dubboMaven
>= 3.1.0, < 3.1.13.1.1

Affected products

3

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.