A deserialization vulnerability existed when decode a malicious package.This issue affects Apache Dubbo: from 3.1.0 through 3.1.10, from 3.2.0 through 3.2.4.

Users are recommended to upgrade to the latest version, which fixes the issue.

Affected Packages

Maven org.apache.dubbo:dubbo

Affected versions: 3.1.0 (fixed in 3.1.11)

Maven org.apache.dubbo:dubbo

Affected versions: 3.2.0 (fixed in 3.2.5)

Related CVEs

CVE-2023-29234

Key Information

GHSA ID

GHSA-6x49-w35h-wqrj

Published

December 15, 2023 9:30 AM

Last Modified

February 13, 2025 7:28 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

org.apache.dubbo:dubbo

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 27, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.