CVE-2020-1948

CRITICAL

Apache Dubbo < 2.5.10 - Insecure Deserialization

Title source: rule

Description

This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below.

Exploits (4)

nomisec WORKING POC 18 stars

by richardzhangcmplx · poc

https://github.com/richardzhangcmplx/Dubbo-deserialization

View Code ZIP pw:eip

nomisec STUB 15 stars

by ctlyz123 · poc

https://github.com/ctlyz123/CVE-2020-1948

View Code ZIP pw:eip

nomisec WORKING POC 4 stars

by txrw · poc

https://github.com/txrw/Dubbo-CVE-2020-1948

View Code ZIP pw:eip

nomisec WORKING POC 3 stars

by M3g4Byt3 · poc

https://github.com/M3g4Byt3/cve-2020-1948-poc

View Code ZIP pw:eip

References (2)

[Broken Link] https://lists.apache.org/thread.html/rbaa41711b3e7a8cd20e9013737423ddd079ddc12f90180f86e76523c%40%3Csecurity.dubbo.apache.org%3E

[Third Party Advisory] https://nsfocusglobal.com/apache-dubbo-remote-code-execution-vulnerability-cve-2020-1948-threat-alert/

Scores

CVSS v3 9.8

EPSS 0.6360

EPSS Percentile 98.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (3)

apache/dubbo < 2.5.10

org.apache.dubbo/dubbo < 2.7.7Maven

org.apache.dubbo/dubbo-common < 2.7.7Maven

Timeline

Published Jul 14, 2020

Tracked Since Feb 18, 2026