dd-trace-java 0.40.0 through 1.60.1 on JDK 16 and earlier
Summary
This vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected Java virtual machines. The flaw exists in the RMI instrumentation that deserializes unfiltered user input, and can be exploited by attackers with network access to an exposed JMX/RMI port. Exploitation requires the use of JDK 16 or older and a compatible gadget chain on the classpath.
Remediation
Upgrade dd-trace-java to version 1.60.3 or later to address this flaw. If an immediate upgrade is not possible, disable the RMI integration by setting the environment variable `DD_INTEGRATION_RMI_ENABLED=false`. Restrict public access to exposed JMX/RMI ports for affected instances.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.