Guangliang Yang

**Name of the Vulnerable Software and Affected Versions** Apache Dubbo versions 3.1.0 through 3.1.10 Apache Dubbo versions 3.2.0 through 3.2.4 **Description** A deserialization vulnerability exists when decoding a malicious package, which can allow a remote attacker to execute arbitrary code or cause a denial of service. The issue is related to shortcomings in the deserialization mechanism of the Apache Dubbo RPC framework. **Recommendations** For Apache Dubbo versions 3.1.0 through 3.1.10, upgrade to the latest version to fix the issue. For Apache Dubbo versions 3.2.0 through 3.2.4, upgrade to the latest version to fix the issue. As a temporary workaround, consider restricting the decoding of packages to minimize the risk of exploitation.