{"id":"CVE-2021-36161","details":"Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places. Fixed in Apache Dubbo 2.7.13","aliases":["GHSA-qvm7-23cj-437v"],"modified":"2026-04-12T00:39:31.697525Z","published":"2021-09-09T08:15:28.667Z","references":[{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/dubbo","events":[{"introduced":"614bcebc01336ee5047a98f96b28915680c0399c"},{"fixed":"9c49efeacfd87d2d4409fb000cebd58e1114ec8a"}],"database_specific":{"cpe":"cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"2.7.0"},{"fixed":"2.7.13"}],"source":"CPE_FIELD"}}],"database_specific":{"vanir_signatures_modified":"2026-04-12T00:39:31Z","vanir_signatures":[{"id":"CVE-2021-36161-302e3b9a","signature_version":"v1","target":{"file":"dubbo-remoting/dubbo-remoting-api/src/test/java/org/apache/dubbo/remoting/exchange/support/DefaultFutureTest.java"},"deprecated":false,"source":"https://github.com/apache/dubbo/commit/9c49efeacfd87d2d4409fb000cebd58e1114ec8a","digest":{"threshold":0.9,"line_hashes":["63240973352874591703004217537934715748","285723713262584181958599052222858507853","316048047893920617316449111688895297450"]},"signature_type":"Line"},{"id":"CVE-2021-36161-d1e77617","signature_version":"v1","target":{"function":"closeChannel","file":"dubbo-remoting/dubbo-remoting-api/src/main/java/org/apache/dubbo/remoting/exchange/support/DefaultFuture.java"},"deprecated":false,"source":"https://github.com/apache/dubbo/commit/9c49efeacfd87d2d4409fb000cebd58e1114ec8a","digest":{"function_hash":"4863761830588223872434984121035313721","length":582},"signature_type":"Function"},{"id":"CVE-2021-36161-d98b89a0","signature_version":"v1","target":{"file":"dubbo-remoting/dubbo-remoting-api/src/main/java/org/apache/dubbo/remoting/exchange/support/DefaultFuture.java"},"deprecated":false,"source":"https://github.com/apache/dubbo/commit/9c49efeacfd87d2d4409fb000cebd58e1114ec8a","digest":{"threshold":0.9,"line_hashes":["317161288691809419426977543067537146614","28638772766964189145236006874053929600","37426758785719221501285982527572694895","273207489124389298715745917449842553434","57077031217357767338669616143479344864","44506862183579152500133904668039221473","85575028206352999141822831611625619834"]},"signature_type":"Line"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-36161.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}