This topic describes the RCE vulnerability that exists in Dubbo Hessian and how to prevent RCE attacks by fixing the vulnerability.

Vulnerability description

An RCE vulnerability exists in Dubbo Hessian Lite 3.2.11 or earlier. When serialization errors occur, Hessian Lite may export the information about the errors. This may trigger the execution of malicious code in the toString method of a custom bean to initiate RCE attacks.

Vulnerability severity


Affected users

  • All users who use Dubbo 2.6.0 to 2.6.11.
  • All users who use Dubbo 2.7.0 to 2.7.14.
  • All users who use Dubbo 3.0.0 to 3.0.4.


Update Dubbo to one of the following versions:

  • If you use Dubbo 2.6.x, update Dubbo to 2.6.12.
  • If you use Dubbo 2.7.x, update Dubbo to 2.7.15.
  • If you use Dubbo 3.0.x, update Dubbo to 3.0.5.

If your applications fail to be fixed or verified in a timely manner, we recommend that you activate ARMS at the earliest opportunity. The service is developed based on the RASP technology and can protect your applications from attacks.