CVE-2020-11995

CVE-2020-11995: Apache Dubbo default deserialization protocol Hessian2 cause CRE

Vendor Apache Software Foundation

Product Apache Dubbo

Weakness CWE-502 · Unsafe deserialization

Published January 11, 2021

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protool, during Hessian2 deserializing the HashMap object, some functions in the classes stored in HasMap will be executed after a series of program calls, however, those special functions may cause remote command execution. For example, the hashCode() function of the EqualsBean class in rome-1.7.0.jar will cause the remotely load malicious classes and execute malicious code by constructing a malicious request. This issue was fixed in Apache Dubbo 2.6.9 and 2.7.8.

Key dates

02Disclosure timeline

January 11, 2021 CVE published

February 13, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-11995

Related vulnerabilities

04Related CVE

CVE-2017-3207 WebORB for Java by Midnight Coders, version 5.1.1.0, Action Message Format (AMF3) Java implementation is vulnerable to insecure deserialization CVE-2026-52751 Ghidra < 12.1 - Remote Code Execution via Unfiltered RMI Deserialization in Shared Project Connection CVE-2026-48853 Remote code execution and denial of service via unsafe Erlang term deserialization in elixir-grpc/grpc CVE-2024-42363 GHSL-2023-136_Samson CVE-2026-39532 WordPress Events Calendar for GeoDirectory plugin <= 2.3.25 - PHP Object Injection vulnerability