orbisai0security opened a new pull request, #16256: URL: https://github.com/apache/dubbo/pull/16256
## Summary Fix critical severity security issue in `dubbo-rpc/dubbo-rpc-triple/src/main/java/org/apache/dubbo/rpc/protocol/tri/rest/support/basic/ParamArgumentResolver.java`. ## Vulnerability | Field | Value | |-------|-------| | **ID** | V-003 | | **Severity** | CRITICAL | | **Scanner** | multi_agent_ai | | **Rule** | `V-003` | | **File** | `dubbo-rpc/dubbo-rpc-triple/src/main/java/org/apache/dubbo/rpc/protocol/tri/rest/support/basic/ParamArgumentResolver.java:75` | | **CWE** | CWE-502 | **Description**: The Triple protocol's ParamArgumentResolver passes form parameters and request body content from HTTP requests directly into the argument resolution pipeline without evidence of class whitelisting or deserialization filtering. Apache Dubbo has a well-documented history of critical insecure deserialization vulnerabilities (CVE-2019-17564, CVE-2021-25641, CVE-2021-30179, CVE-2023-29234). If the underlying serialization format (Hessian, Java native serialization, or Kryo) is used without proper class filtering, crafted payloads using known Java gadget chains can achieve remote code execution on the server. ## Changes - `dubbo-rpc/dubbo-rpc-triple/src/main/java/org/apache/dubbo/rpc/protocol/tri/rest/util/RequestUtils.java` ## Verification - [x] Build passes - [x] Scanner re-scan confirms fix - [x] LLM code review passed --- *Automated security fix by [OrbisAI Security](https://orbisappsec.com)* -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
