Jun Liu

**Name of the Vulnerable Software and Affected Versions** Apache Dubbo versions prior to 2.7.8 Apache Dubbo versions prior to 2.6.9 **Description** The issue allows an attacker to choose the serialization id used by the Provider, bypassing the server's instruction. This can lead to exploitation if a weak deserializer, such as `Kryo` or `FST`, is in the code scope. A remote unauthenticated attacker can exploit this weakness. **Recommendations** For Apache Dubbo versions prior to 2.7.8, update to version 2.7.8 or later. For Apache Dubbo versions prior to 2.6.9, update to version 2.6.9 or later. As a temporary workaround, consider disabling the use of weak deserializers, such as `Kryo` and `FST`, until a patch is applied.