CVE-2021-30180

CRITICAL

Apache Dubbo <2.7.9 - RCE

Title source: llm

Description

Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers may enable calling arbitrary constructors.

Exploits (1)

nomisec STUB

by shoucheng3 · poc

https://github.com/shoucheng3/apache__dubbo_CVE-2021-30180_2-7-9

View Code ZIP pw:eip

References (1)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread.html/raed526465e56204030ddf374b1959478a290e7511971d7aba2e9e39b%40%3Cdev.dubbo.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.0440

EPSS Percentile 89.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-444

Status published

Products (2)

apache/dubbo 2.7.0 - 2.7.10

org.apache.dubbo/dubbo 2.7.0 - 2.7.10Maven

Published Jun 01, 2021

Tracked Since Feb 18, 2026