CVE-2021-30180

CRITICAL

Apache Dubbo < 2.7.10 - Remote Code Execution via Tag Routing YAML Parsing

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-30180. PoCs published by shoucheng3.

AI-analyzed exploit summary The repository appears to be a fork or snapshot of the Apache Dubbo project with no explicit exploit code or technical analysis related to CVE-2021-30180. It contains standard project files (CI/CD workflows, issue templates, etc.) but lacks any PoC or writeup specific to the vulnerability.

Description

Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers may enable calling arbitrary constructors.

Exploits (1)

nomisec STUB

by shoucheng3 · poc

https://github.com/shoucheng3/apache__dubbo_CVE-2021-30180_2-7-9

View Code ZIP pw:eip

The repository appears to be a fork or snapshot of the Apache Dubbo project with no explicit exploit code or technical analysis related to CVE-2021-30180. It contains standard project files (CI/CD workflows, issue templates, etc.) but lacks any PoC or writeup specific to the vulnerability.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Apache Dubbo

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Mailing List, Vendor Advisory x_refsource_misc

https://lists.apache.org/thread.html/raed526465e56204030ddf374b1959478a290e7511971d7aba2e9e39b%40%3Cdev.dubbo.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.0440

EPSS Percentile 89.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-444

Status published

Products (2)

apache/dubbo 2.7.0 - 2.7.10

org.apache.dubbo/dubbo 2.7.0 - 2.7.10Maven

Published Jun 01, 2021

Tracked Since Feb 18, 2026