-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from HTTP remoting handling in the http-invoker module. The commit 9b18fe2 completely removed this module, indicating the protocol implementation itself was flawed. HttpInvokerProtocol.export() exposes HTTP endpoints that accept serialized Java objects, while HttpRemoteInvocation.readRemoteInvocation() performs unsafe deserialization via ObjectInputStream. These functions directly process untrusted input without validation, aligning with CWE-502. The patch's removal of these classes confirms their role in the vulnerability.
JavaJava| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.dubbo:dubbo-rpc-http-invoker | maven | >= 2.5.0, < 2.7.5 | 2.7.5 |
Ongoing coverage of React2Shell