Apache Dubbo Hession Deserialization Vulnerability Gadgets Bypass
Description
A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A deserialization vulnerability in Apache Dubbo's hessian-lite library (≤3.2.12) allows remote code execution via crafted serialized data.
Vulnerability
Overview
CVE-2022-39198 is a deserialization vulnerability in the hessian-lite library used by Apache Dubbo. Versions 3.2.12 and earlier of hessian-lite fail to properly validate serialized objects before deserialization, allowing an attacker to inject malicious data that can trigger arbitrary code execution on the server [1].
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted serialized object to a Dubbo service that uses the vulnerable hessian-lite library. No authentication is required if the service is exposed to untrusted networks; the attacker only needs network access to a Dubbo endpoint that accepts serialized payloads [1].
Impact
Successful exploitation leads to remote code execution (RCE) with the privileges of the Dubbo process. This can result in full compromise of the affected system, including data theft, service disruption, or lateral movement within the network [1].
Mitigation
The vulnerability is fixed in hessian-lite version 3.2.13 [3]. Apache Dubbo users should upgrade to Dubbo 2.7.18+, 3.0.12+, or 3.1.1+, which include the patched hessian-lite library [4]. No workarounds are available; upgrading is the recommended action.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.alibaba:hessian-liteMaven | < 3.2.13 | 3.2.13 |
org.apache.dubbo:dubboMaven | >= 2.7.0, < 2.7.18 | 2.7.18 |
org.apache.dubbo:dubboMaven | >= 3.0.0, < 3.0.12 | 3.0.12 |
org.apache.dubbo:dubboMaven | >= 3.1.0, < 3.1.1 | 3.1.1 |
Affected products
3- ghsa-coords2 versions
< 3.2.13+ 1 more
- (no CPE)range: < 3.2.13
- (no CPE)range: >= 2.7.0, < 2.7.18
- Apache Software Foundation/Apache Dubbov5Range: Apache Dubbo 2.7.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-5qwq-g2hx-r6f7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-39198ghsaADVISORY
- github.com/apache/dubbo-hessian-lite/releases/tag/v3.2.13ghsaWEB
- github.com/apache/dubbo/releases/tag/dubbo-2.7.18ghsaWEB
- github.com/apache/dubbo/releases/tag/dubbo-3.0.12ghsaWEB
- github.com/apache/dubbo/releases/tag/dubbo-3.1.1ghsaWEB
- lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkkghsaWEB
News mentions
0No linked articles in our index yet.