CVE-2023-23638

MEDIUM

Apache Dubbo 2.7.0-2.7.21, 3.0.0-3.0.13, 3.1.0-3.1.5 - Remote Code Execution via Generic Invoke Deserialization

Title source: llm

Exploitation Summary

EIP tracks 6 public exploits for CVE-2023-23638. PoCs published by YYHYlh, X1r0z, JAckLosingHeart.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-23638, targeting Apache Dubbo 3.x. It includes both command execution and service discovery capabilities, with support for GUI and command-line interfaces.

Description

A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.

Exploits (6)

nomisec WORKING POC 231 stars

by YYHYlh · poc

https://github.com/YYHYlh/Apache-Dubbo-CVE-2023-23638-exp

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-23638, targeting Apache Dubbo 3.x. It includes both command execution and service discovery capabilities, with support for GUI and command-line interfaces.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Dubbo 3.x

No auth needed

Prerequisites: Network access to vulnerable Dubbo service · Java runtime environment

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 34 stars

by X1r0z · poc

https://github.com/X1r0z/dubbo-rce

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2023-23638, leveraging Java deserialization via Hessian to bypass Dubbo's serialization checks and achieve RCE through JNDI injection. The exploit manipulates `SerializeClassChecker` to allow deserialization of `JdbcRowSetImpl`, which triggers an LDAP-based payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Dubbo (versions affected by CVE-2023-23638)

No auth needed

Prerequisites: Java 8 environment · ZooKeeper setup · LDAP server for JNDI payload delivery · VM parameter `-Ddubbo.hessian.allowNonSerializable=true`

MITRE ATT&CK

T1189 - Drive-by Compromise T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 19, 2026 Full analysis →

github WORKING POC 5 stars

by JAckLosingHeart · javapoc

https://github.com/JAckLosingHeart/CVE-PoC-Collection/tree/main/dubbo-CVE-2023-23638

View Code ZIP pw:eip

The repository contains a functional PoC for CVE-2023-23638, demonstrating a deserialization attack in Apache Dubbo. The exploit manipulates the SerializeClassChecker to allow deserialization of malicious classes, leading to remote code execution via LDAP.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Apache Dubbo

No auth needed

Prerequisites: Access to a vulnerable Dubbo service · LDAP server for payload delivery

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC 1 stars

by cuijiung · poc

https://github.com/cuijiung/dubbo-CVE-2023-23638

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2023-23638, leveraging Java deserialization in Apache Dubbo to bypass class restrictions and achieve JNDI injection. The exploit manipulates SerializeClassChecker to allow deserialization of malicious classes like JdbcRowSetImpl.

Classification

Working Poc 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Apache Dubbo (versions affected by CVE-2023-23638)

No auth needed

Prerequisites: Java 8 environment · ZooKeeper setup · VM parameter -Ddubbo.hessian.allowNonSerializable=true

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec STUB

by P4x1s · poc

https://github.com/P4x1s/CVE-2023-23638-Tools

View Code ZIP pw:eip

The repository contains only a README.md file with minimal content, providing no functional exploit code or technical details about CVE-2023-23638.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

inthewild WORKING POC

poc

https://github.com/x1r0z/cve-2023-23638

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2023-23638, leveraging Java deserialization via Apache Dubbo's Hessian protocol to achieve RCE. The exploit manipulates SerializeClassChecker to bypass restrictions and triggers JNDI injection via JdbcRowSetImpl.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Dubbo (versions affected by CVE-2023-23638)

No auth needed

Prerequisites: Java 8 environment · ZooKeeper setup · VM parameter '-Ddubbo.hessian.allowNonSerializable=true' · LDAP server for JNDI payload delivery

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (1)

Core 1

Core References

Issue Tracking, Vendor Advisory vendor-advisory

https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb

Scores

CVSS v3 5.0

EPSS 0.5029

EPSS Percentile 97.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-502

Status published

Products (2)

apache/dubbo 2.7.0 - 2.7.21

org.apache.dubbo/dubbo 0 - 2.7.22Maven

Published Mar 08, 2023

Tracked Since Feb 18, 2026