Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/563247?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/563247?format=api", "purl": "pkg:maven/com.alibaba/dubbo@2.5.1", "type": "maven", "namespace": "com.alibaba", "name": "dubbo", "version": "2.5.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.6.12", "latest_non_vulnerable_version": "2.6.12", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42750?format=api", "vulnerability_id": "VCID-2989-2ec6-jybq", "summary": "Server-Side Request Forgery (SSRF)\nIn Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-25640", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00705", "scoring_system": "epss", "scoring_elements": "0.72499", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00705", "scoring_system": "epss", "scoring_elements": "0.72483", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00705", "scoring_system": "epss", "scoring_elements": "0.72525", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00705", "scoring_system": "epss", "scoring_elements": "0.72532", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00705", "scoring_system": "epss", "scoring_elements": "0.72512", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-25640" }, { "reference_url": "https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77@%3Cdev.dubbo.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77@%3Cdev.dubbo.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77%40%3Cdev.dubbo.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77%40%3Cdev.dubbo.apache.org%3E" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25640", "reference_id": "CVE-2021-25640", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25640" }, { "reference_url": "https://github.com/advisories/GHSA-gw4j-4229-q4px", "reference_id": "GHSA-gw4j-4229-q4px", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gw4j-4229-q4px" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61032?format=api", "purl": "pkg:maven/com.alibaba/dubbo@2.6.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-m7ca-pdzs-2yfd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.alibaba/dubbo@2.6.9" } ], "aliases": [ "CVE-2021-25640", "GHSA-gw4j-4229-q4px" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2989-2ec6-jybq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42739?format=api", "vulnerability_id": "VCID-9cck-3q13-1kej", "summary": "Deserialization of Untrusted Data\nApache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-30179", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02183", "scoring_system": "epss", "scoring_elements": "0.84682", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.02183", "scoring_system": "epss", "scoring_elements": "0.84672", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.02183", "scoring_system": "epss", "scoring_elements": "0.84696", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.02183", "scoring_system": "epss", "scoring_elements": "0.847", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.02183", "scoring_system": "epss", "scoring_elements": "0.84694", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-30179" }, { "reference_url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67@%3Cdev.dubbo.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67@%3Cdev.dubbo.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30179", "reference_id": "CVE-2021-30179", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30179" }, { "reference_url": "https://github.com/advisories/GHSA-5mc7-m686-p6jg", "reference_id": "GHSA-5mc7-m686-p6jg", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5mc7-m686-p6jg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61032?format=api", "purl": "pkg:maven/com.alibaba/dubbo@2.6.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-m7ca-pdzs-2yfd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.alibaba/dubbo@2.6.9" } ], "aliases": [ "CVE-2021-30179", "GHSA-5mc7-m686-p6jg" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9cck-3q13-1kej" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42749?format=api", "vulnerability_id": "VCID-apmz-v6u5-8ygh", "summary": "Deserialization of Untrusted Data\nEach Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-25641", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.7462", "scoring_system": "epss", "scoring_elements": "0.98875", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.7462", "scoring_system": "epss", "scoring_elements": "0.98874", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.7462", "scoring_system": "epss", "scoring_elements": "0.98877", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.7462", "scoring_system": "epss", "scoring_elements": "0.98876", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-25641" }, { "reference_url": "https://lists.apache.org/thread.html/r99ef7fa35585d3a68762de07e8d2b2bc48b8fa669a03e8d84b9673f3%40%3Cdev.dubbo.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r99ef7fa35585d3a68762de07e8d2b2bc48b8fa669a03e8d84b9673f3%40%3Cdev.dubbo.apache.org%3E" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25641", "reference_id": "CVE-2021-25641", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25641" }, { "reference_url": "https://github.com/advisories/GHSA-v2rg-8cwr-75g8", "reference_id": "GHSA-v2rg-8cwr-75g8", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v2rg-8cwr-75g8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61032?format=api", "purl": "pkg:maven/com.alibaba/dubbo@2.6.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-m7ca-pdzs-2yfd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.alibaba/dubbo@2.6.9" } ], "aliases": [ "CVE-2021-25641", "GHSA-v2rg-8cwr-75g8" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-apmz-v6u5-8ygh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42740?format=api", "vulnerability_id": "VCID-eznq-hze7-kqfg", "summary": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')\nApache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-30181", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03871", "scoring_system": "epss", "scoring_elements": "0.88461", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.03871", "scoring_system": "epss", "scoring_elements": "0.88442", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.03871", "scoring_system": "epss", "scoring_elements": "0.8846", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.03871", "scoring_system": "epss", "scoring_elements": "0.88462", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-30181" }, { "reference_url": "https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30181", "reference_id": "CVE-2021-30181", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30181" }, { "reference_url": "https://github.com/advisories/GHSA-qmfc-6www-fjqw", "reference_id": "GHSA-qmfc-6www-fjqw", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qmfc-6www-fjqw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61032?format=api", "purl": "pkg:maven/com.alibaba/dubbo@2.6.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-m7ca-pdzs-2yfd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.alibaba/dubbo@2.6.9" } ], "aliases": [ "CVE-2021-30181", "GHSA-qmfc-6www-fjqw" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-eznq-hze7-kqfg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/110635?format=api", "vulnerability_id": "VCID-m7ca-pdzs-2yfd", "summary": "Server-side request forgery in Apache Dubbo\nbypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24969", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02387", "scoring_system": "epss", "scoring_elements": "0.85322", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.02387", "scoring_system": "epss", "scoring_elements": "0.85307", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.02387", "scoring_system": "epss", "scoring_elements": "0.85328", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.02387", "scoring_system": "epss", "scoring_elements": "0.85299", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24969" }, { "reference_url": "https://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24969", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24969" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25640", "reference_id": "CVE-2021-25640", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25640" }, { "reference_url": "https://github.com/advisories/GHSA-gm48-83x4-84jg", "reference_id": "GHSA-gm48-83x4-84jg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gm48-83x4-84jg" }, { "reference_url": "https://github.com/advisories/GHSA-gw4j-4229-q4px", "reference_id": "GHSA-gw4j-4229-q4px", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gw4j-4229-q4px" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/149340?format=api", "purl": "pkg:maven/com.alibaba/dubbo@2.6.12", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.alibaba/dubbo@2.6.12" } ], "aliases": [ "CVE-2022-24969", "GHSA-gm48-83x4-84jg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m7ca-pdzs-2yfd" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/com.alibaba/dubbo@2.5.1" }