GHSA-cpx9-4rwv-486v
GitHub Security Advisory
Hessian protocol configuration vulnerability in Apache Dubbo
✓ GitHub Reviewed
CRITICAL
Has CVE
Advisory Details
In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directly to a HessianSkeleton: New HessianSkeleton are created without any configuration of the serialization factory and therefore without applying the dubbo properties for applying allowed or blocked type lists. In addition, the generic service is always exposed and therefore attackers do not need to figure out a valid service/method name pair. This is fixed in 2.7.13, 2.6.10.1
Affected Packages
Maven
org.apache.dubbo:dubbo
Affected versions:
2.7.0
(fixed in 2.7.13)
Maven
org.apache.dubbo:dubbo
Affected versions:
0
(fixed in 2.6.10.1)
Related CVEs
Key Information
9.0
/10
Dataset
Last updated: July 28, 2025 6:37 AM
Data from GitHub Advisory Database. This information is provided for research and educational purposes.