{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-62233", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-10-09T12:40:17.778Z", "datePublished": "2026-04-24T10:54:55.162Z", "dateUpdated": "2026-04-24T16:09:59.535Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.dolphinscheduler:dolphinscheduler-extract-base", "product": "Apache DolphinScheduler", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "3.3.1", "status": "affected", "version": "3.2.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "75Acol, fcgboy, ch0wn, zer0duck"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module.</p><p>This issue affects Apache DolphinScheduler:&nbsp;</p><p>Version &gt;= 3.2.0 and &lt; 3.3.1.</p>Attackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest, injecting a malicious class type into it, and sending RPC requests to the DolphinScheduler Master/Worker nodes.<br><p>Users are recommended to upgrade to version [3.3.1], which fixes the issue.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module.\n\nThis issue affects Apache DolphinScheduler:\u00a0\n\nVersion >= 3.2.0 and < 3.3.1.\n\nAttackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest, injecting a malicious class type into it, and sending RPC requests to the DolphinScheduler Master/Worker nodes.\nUsers are recommended to upgrade to version [3.3.1], which fixes the issue."}], "metrics": [{"other": {"content": {"text": "Moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-24T10:54:55.162Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/79s80h51r4z5d4l2xs5xy364rmmo1bw0"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache DolphinScheduler: Deserialization of untrusted data in RPC", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/24/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-24T11:28:22.000Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T16:09:54.360016Z", "id": "CVE-2025-62233", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T16:09:59.535Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/24/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-24T11:28:22.000Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-62233", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T16:09:54.360016Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T16:09:39.412Z"}}], "cna": {"title": "Apache DolphinScheduler: Deserialization of untrusted data in RPC", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "75Acol, fcgboy, ch0wn, zer0duck"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "Moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache DolphinScheduler", "versions": [{"status": "affected", "version": "3.2.0", "lessThan": "3.3.1", "versionType": "semver"}], "packageName": "org.apache.dolphinscheduler:dolphinscheduler-extract-base", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/79s80h51r4z5d4l2xs5xy364rmmo1bw0", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module.\n\nThis issue affects Apache DolphinScheduler:\u00a0\n\nVersion >= 3.2.0 and < 3.3.1.\n\nAttackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest, injecting a malicious class type into it, and sending RPC requests to the DolphinScheduler Master/Worker nodes.\nUsers are recommended to upgrade to version [3.3.1], which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module.</p><p>This issue affects Apache DolphinScheduler:&nbsp;</p><p>Version &gt;= 3.2.0 and &lt; 3.3.1.</p>Attackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest, injecting a malicious class type into it, and sending RPC requests to the DolphinScheduler Master/Worker nodes.<br><p>Users are recommended to upgrade to version [3.3.1], which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-24T10:54:55.162Z"}}}, "cveMetadata": {"cveId": "CVE-2025-62233", "state": "PUBLISHED", "dateUpdated": "2026-04-24T16:09:59.535Z", "dateReserved": "2025-10-09T12:40:17.778Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-24T10:54:55.162Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*", "matchCriteriaId": "18CB4917-60E1-4DE1-AEEE-C035E1CC4F43", "versionEndExcluding": "3.3.1", "versionStartIncluding": "3.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module.\n\nThis issue affects Apache DolphinScheduler:\u00a0\n\nVersion >= 3.2.0 and < 3.3.1.\n\nAttackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest, injecting a malicious class type into it, and sending RPC requests to the DolphinScheduler Master/Worker nodes.\nUsers are recommended to upgrade to version [3.3.1], which fixes the issue."}], "id": "CVE-2025-62233", "lastModified": "2026-04-27T13:45:44.713", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-24T11:16:21.780", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/79s80h51r4z5d4l2xs5xy364rmmo1bw0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/04/24/2"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.2.0,3.3.1)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache DolphinScheduler", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "dolphinscheduler", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-28T06:54:42.818548+00:00", "value": {"mitigation_remediation": ["Upgrade Apache DolphinScheduler to version\u202f3.3.1 or later; this version includes the fixed deserialization handling.", "Limit connectivity to the Master and Worker RPC interfaces to trusted hosts only, for example by firewalling or network segmentation, to reduce the attack surface.", "Enable logging and monitoring of RPC traffic for anomalous class types or payloads, and integrate alerts into intrusion\u2011detection systems where possible."], "summary": {"action": "Apply Patch", "impact": "Remote code execution via deserialization"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Apache DolphinScheduler versions 3.2.0 through 3.3.0 inclusive. It targets the Apache Software Foundation\u2019s DolphinScheduler product, which is distributed under the Apache license. All installations running a vulnerable version are at risk unless patched or otherwise mitigated.", "description_and_impact": "Apache DolphinScheduler\u2019s RPC module accepts serialized objects from clients. Attackers who can reach the Master or Worker nodes can craft a StandardRpcRequest, inject a malicious class type, and transmit it to the server. The deserialization of this untrusted data allows an attacker to execute arbitrary code on the nodes, potentially compromising the entire scheduling infrastructure. This flaw is classed as CWE\u2011502 Improper Handling of Serialized Data.", "risk_and_exploitability": "The CVSS score is 6.3, indicating moderate severity, while the EPSS score is below 1\u202f%, suggesting a low probability of exploitation in the wild at present. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers must be able to send RPC requests to the Master or Worker nodes, so the primary attack vector is internal or privileged network access to the RPC service. With the current scores, the risk is moderate, but the potential impact warrants timely remediation."}}}}, "created": "2026-04-27T19:15:11.631515+00:00", "updated": "2026-04-28T07:00:09.532682+00:00", "vendors": ["apache", "apache$PRODUCT$dolphinscheduler"]}