CVE-2026-33728
In versions of dd-trace-java prior to 1.60.3, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability:
- dd-trace-java is attached as a Java agent (
-javaagent) on Java 16 or earlier - A JMX/RMI port has been explicitly configured via
-Dcom.sun.management.jmxremote.portand is network-reachable - A gadget-chain-compatible library is present on the classpath
Impact
Arbitrary remote code execution with the privileges of the user running the instrumented JVM.
Recommendation
- For JDK >= 17: No action is required, but upgrading is strongly encouraged.
- For JDK >= 8u121 < JDK 17: Upgrade to dd-trace-java version 1.60.3 or later.
- For JDK < 8u121 and earlier where serialization filters are not available, apply the workaround described below.
Workarounds
Set the following environment variable to disable the RMI integration: DDINTEGRATIONRMI_ENABLED=false
Credits
This vulnerability was responsibly disclosed by Mohamed Amine ait Ouchebou (mrecho) (Indiesecurity) via the Datadog bug bounty program.
Package Versions Affected
Automatically patch vulnerabilities without upgrading
CVSS Version
Related Resources
References
https://github.com/DataDog/dd-trace-java/security/advisories/GHSA-579q-h82j-r5v2, https://github.com/DataDog/dd-trace-java, https://github.com/DataDog/dd-trace-java/releases/tag/v1.60.3
Basic Information
