CVE-2021-25640
MEDIUMApache Dubbo 2.5.0-2.6.8 and 2.7.0-2.7.9 - Server-Side Request Forgery via parseURL Host Check Bypass
Title source: llmDescription
In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.
References (1)
Core 1
Core References
Mailing List, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77%40%3Cdev.dubbo.apache.org%3E
Scores
CVSS v3
6.1
EPSS
0.0070
EPSS Percentile
72.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-918
CWE-601
Status
published
Products (3)
apache/dubbo
2.5.0 - 2.6.9
com.alibaba/dubbo
2.5.0 - 2.6.9Maven
org.apache.dubbo/dubbo
2.5.0 - 2.7.10Maven
Published
Jun 01, 2021
Tracked Since
Feb 18, 2026