This topic describes the causes of Apache Dubbo security vulnerability CVE-2021-36163 and how to fix the vulnerability.

Vulnerability description

You can use the Hessian protocol. Hessian is an HTTP-based protocol. It can directly pass the body of a POST request to a HessianSkeleton.

New HessianSkeleton are created without any configuration of the serialization factory. Therefore, the registry access lists of Dubbo in earlier versions are not applied. By default, the allowed or blocked type lists are not configured for a HessianSkeleton.

Vulnerability severity


Affected users

  • All users who use Dubbo 2.6.10 or earlier.
  • All users who use Dubbo 2.7.0 to 2.7.12.


Update Dubbo to the specified version based on the existing version that you use.

  • If you use Dubbo 2.6.x, update Dubbo to or 2.7.13.
  • If you use Dubbo 2.7.x, update Dubbo to 2.7.13.