Alibaba Alibaba

  1. Vendors
  2. Alibaba

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Alibaba product.

RSS Feeds for Alibaba security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Alibaba products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Alibaba Sorted by Most Security Vulnerabilities since 2018

Alibaba Nacos5 vulnerabilities

Alibaba Druid1 vulnerability

Alibaba Fastjson1 vulnerability

Alibaba Tengine1 vulnerability

By the Year

In 2026 there have been 1 vulnerability in Alibaba with an average score of 10.0 out of ten. Alibaba did not have any published security vulnerabilities last year. That is, 1 more vulnerability have already been reported in 2026 as compared to last year.




Year Vulnerabilities Average Score
2026 1 10.00
2025 0 0.00
2024 0 0.00
2023 1 7.50
2022 3 8.23
2021 3 8.27
2020 1 0.00

It may take a day or so for new Alibaba vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Alibaba Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-70974 Jan 09, 2026
Fastjson <1.2.48 JNDI Injection via @type Field (CVE-2025-70974) Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
CVE-2020-21699 Aug 22, 2023
Tengine 2.2.2 Range Filter INT Overflow Leak Vulnerability The web server Tengine 2.2.2 developed in the Nginx version from 0.5.6 thru 1.13.2 is vulnerable to an integer overflow vulnerability in the nginx range filter module, resulting in the leakage of potentially sensitive information triggered by specially crafted requests.
Tengine
CVE-2021-43116 Jul 05, 2022
An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change the returned package An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change the returned package, which lets a malicious user login.
Nacos
CVE-2022-25845 Jun 10, 2022
The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).
Fastjson
CVE-2021-44667 Mar 11, 2022
A Cross Site Scripting (XSS) vulnerability exists in Nacos 2.0.3 in auth/users A Cross Site Scripting (XSS) vulnerability exists in Nacos 2.0.3 in auth/users via the (1) pageSize and (2) pageNo parameters.
Nacos
CVE-2021-33800 Nov 03, 2021
In Druid 1.2.3, visiting the path with parameter in a certain function In Druid 1.2.3, visiting the path with parameter in a certain function can lead to directory traversal.
Druid
CVE-2021-29442 Apr 27, 2021
Nacos is a platform designed for dynamic service discovery and configuration and service management Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)
Nacos
CVE-2021-29441 Apr 27, 2021
Nacos is a platform designed for dynamic service discovery and configuration and service management Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true) Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that enables Nacos servers to bypass this filter and therefore skip authentication checks. This mechanism relies on the user-agent HTTP header so it can be easily spoofed. This issue may allow any user to carry out any administrative tasks on the Nacos server.
Nacos
CVE-2020-19676 Sep 30, 2020
Nacos 1.1.4 is affected by: Incorrect Access Control Nacos 1.1.4 is affected by: Incorrect Access Control. An environment can be set up locally to get the service details interface. Then other Nacos service names can be accessed through the service list interface. Service details can then be accessed when not logged in. (detail:https://github.com/alibaba/nacos/issues/2284)
Nacos
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.