CVE-2021-25641

CRITICAL

Apache Dubbo 2.5.0-2.6.8 & 2.7.0-2.7.7 Unauthenticated Deserialization via Serialization ID Tampering

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-25641. PoCs published by Dor-Tumarkin, l0n3rs.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-25641, a deserialization vulnerability in Apache Dubbo. The exploit leverages a FastJson gadget chain to achieve remote code execution (RCE) by sending a crafted payload over the Dubbo protocol.

Description

Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it.

Exploits (2)

nomisec WORKING POC 53 stars

by Dor-Tumarkin · poc

https://github.com/Dor-Tumarkin/CVE-2021-25641-Proof-of-Concept

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-25641, a deserialization vulnerability in Apache Dubbo. The exploit leverages a FastJson gadget chain to achieve remote code execution (RCE) by sending a crafted payload over the Dubbo protocol.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Dubbo versions <= 2.7.3

No auth needed

Prerequisites: Network access to the target Dubbo service · Target must be running a vulnerable version of Apache Dubbo

MITRE ATT&CK

T1189 - Drive-by Compromise T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec SUSPICIOUS 4 stars

by l0n3rs · poc

https://github.com/l0n3rs/CVE-2021-25641

View Code ZIP pw:eip

The repository claims to be an exploit for CVE-2021-25641 (Apache Dubbo deserialization vulnerability) but provides no actual exploit code, only a README with vague descriptions and a reference to an external JAR file. This is characteristic of a social engineering lure.

Classification

Suspicious 90%

Attack Type

Deserialization

Complexity

Theoretical

Reliability

Theoretical

Target: Apache Dubbo (versions 2.5.x, 2.6.0-2.6.9, 2.7.0-2.7.8)

No auth needed

Prerequisites: External JAR download

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Mailing List, Vendor Advisory x_refsource_misc

https://lists.apache.org/thread.html/r99ef7fa35585d3a68762de07e8d2b2bc48b8fa669a03e8d84b9673f3%40%3Cdev.dubbo.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.1767

EPSS Percentile 96.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-502

Status published

Products (3)

apache/dubbo 2.5.0 - 2.6.9

com.alibaba/dubbo 2.5.0 - 2.6.9Maven

org.apache.dubbo/dubbo 2.5.0 - 2.7.8Maven

Published Jun 01, 2021

Tracked Since Feb 18, 2026