A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions.

Affected Packages

Maven com.alibaba:hessian-lite

Affected versions: 0 (fixed in 3.2.13)

Maven org.apache.dubbo:dubbo

Affected versions: 2.7.0 (fixed in 2.7.18)

Maven org.apache.dubbo:dubbo

Affected versions: 3.0.0 (fixed in 3.0.12)

Maven org.apache.dubbo:dubbo

Affected versions: 3.1.0 (fixed in 3.1.1)

Related CVEs

CVE-2022-39198

Key Information

GHSA ID

GHSA-5qwq-g2hx-r6f7

Published

October 19, 2022 12:00 PM

Last Modified

October 20, 2022 8:11 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

com.alibaba:hessian-lite

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.