CVE-2021-25640

MEDIUM

Apache Dubbo 2.5.0-2.6.8 and 2.7.0-2.7.9 - Server-Side Request Forgery via parseURL Host Check Bypass

Title source: llm
STIX 2.1

Description

In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.

References (1)

Core 1

Scores

CVSS v3 6.1
EPSS 0.0207
EPSS Percentile 79.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-601 CWE-918
Status published
Products (3)
apache/dubbo 2.5.0 - 2.6.9
com.alibaba/dubbo 2.5.0 - 2.6.9Maven
org.apache.dubbo/dubbo 2.5.0 - 2.7.10Maven
Published Jun 01, 2021
Tracked Since Feb 18, 2026