Apache Dubbo: Bypass deny serialize list check in Apache Dubbo
Description
Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5.
Users are recommended to upgrade to the latest version, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Dubbo 3.1.5 contains a deserialization vulnerability that allows bypassing the deny serialization list, enabling potential remote code execution.
Vulnerability
Overview
CVE-2023-46279 is a deserialization of untrusted data vulnerability in Apache Dubbo 3.1.5, which bypasses the deny-serialization-list mechanism [1][3]. The root cause lies in improper validation during deserialization of untrusted data, allowing an attacker to provide crafted serialized objects that should have been blocked [3].
Exploitation
An attacker can exploit this vulnerability by sending malicious serialized data to an affected Apache Dubbo service. The attack requires network access to the Dubbo endpoint, but does not require authentication [3]. The bypass of the deny list means that certain dangerous classes or patterns that are normally forbidden can be deserialized, potentially leading to arbitrary code execution [3].
Impact
Successful exploitation could allow an attacker to achieve remote code execution (RCE) within the context of the Dubbo server process [3]. This can lead to full compromise of the application and underlying infrastructure, including data theft, service disruption, or further lateral movement within the network.
Mitigation
Users of Apache Dubbo 3.1.5 are strongly advised to upgrade to the latest version of Dubbo, which includes a fix for this vulnerability [1][3]. As of the publication date, no known workarounds have been published; upgrading is the only mitigation [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dubbo:dubboMaven | >= 3.1.5, < 3.1.6 | 3.1.6 |
Affected products
2- Apache Software Foundation/Apache Dubbov5Range: 3.1.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-97rv-88gf-phvrghsaADVISORY
- lists.apache.org/thread/zw53nxrkrfswmk9n3sfwxmcj7x030nmoghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-46279ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/12/15/3ghsaWEB
News mentions
0No linked articles in our index yet.