The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization. Apache Dubbo 2.7.13, 3.0.2 fixed this issue by quickly fail when any unrecognized request was found.

Affected Packages

Maven org.apache.dubbo:dubbo

Affected versions: 0 (fixed in 2.7.13)

Maven org.apache.dubbo:dubbo

Affected versions: 3.0.0 (fixed in 3.0.2)

Related CVEs

CVE-2021-37579

Key Information

GHSA ID

GHSA-q897-9jxf-jg9r

Published

September 10, 2021 5:56 PM

Last Modified

September 20, 2021 8:18 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

org.apache.dubbo:dubbo

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.