Skip to main content

Apache CVE-2025-62188

| EUVD-2025-209369 HIGH
Information Exposure (CWE-200)
2026-04-09 apache GHSA-3cjc-vhfm-ffp2
Apache Information Disclosure
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 17, 2026 - 13:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 17, 2026 - 13:07 vuln.today
cvss_changed
Patch released
Apr 10, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 10:00 euvd
EUVD-2025-209369
Analysis Generated
Apr 09, 2026 - 10:00 vuln.today
CVE Published
Apr 09, 2026 - 09:27 nvd
HIGH 7.5

DescriptionNVD

An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler.

This vulnerability may allow unauthorized actors to access sensitive information, including database credentials.

This issue affects Apache DolphinScheduler versions 3.1.*.

Users are recommended to upgrade to:

  • version ≥ 3.2.0 if using 3.1.x

As a temporary workaround, users who cannot upgrade immediately may restrict the exposed management endpoints by setting the following environment variable:

MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus

Alternatively, add the following configuration to the application.yaml file:

management:
   endpoints:
     web:
        exposure:
          include: health,metrics,prometheus

This issue has been reported as CVE-2023-48796:

https://cveprocess.apache.org/cve5/CVE-2023-48796

AnalysisAI

Unauthenticated remote disclosure of database credentials and other sensitive configuration data in Apache DolphinScheduler 3.1.x via overly-permissive Spring Boot Actuator endpoints. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms network-accessible exploitation without authentication. EPSS score of 0.02% (5th percentile) indicates low current exploitation likelihood despite the critical nature of credential exposure. Vendor patch available in version 3.2.0, with documented configuration-based workaround for organizations unable to upgrade immediately. No public exploit code identified and SSVC framework shows no active exploitation, though the vulnerability is automatable.

Technical ContextAI

Apache DolphinScheduler is a distributed workflow orchestration platform. This vulnerability (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) stems from default Spring Boot Actuator endpoint configurations that expose management interfaces without authentication. Spring Boot Actuator provides production-ready features like health checks, metrics, and environment details via HTTP endpoints. When configured with overly broad exposure settings (typically 'management.endpoints.web.exposure.include=*'), sensitive operational data including database connection strings, credentials, and environment variables become accessible at predictable URLs like /actuator/env. The affected CPE (cpe:2.3:a:apache_software_foundation:apache_dolphinscheduler:*:*:*:*:*:*:*:*) covers all 3.1.x releases prior to 3.2.0. The description explicitly states affected versions as 3.1.*, with remediation requiring upgrade to version ≥3.2.0.

RemediationAI

Primary remediation is upgrading Apache DolphinScheduler to version 3.2.0 or later, which contains vendor-supplied fixes per the official advisory at https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo. For environments unable to upgrade immediately, apply the documented configuration-based workaround by restricting Spring Boot Actuator exposure: set environment variable MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus or add the equivalent configuration to application.yaml (management.endpoints.web.exposure.include: health,metrics,prometheus). This workaround limits exposed endpoints to only health checks, metrics, and Prometheus endpoints, preventing access to sensitive environment and configuration data. Trade-off: the workaround may reduce observability if monitoring tools depend on other Actuator endpoints like /actuator/env or /actuator/configprops; verify monitoring integrations before applying. Additional compensating control: implement network-level access restrictions (firewall rules, security groups) to block external access to DolphinScheduler management ports if not operationally required, though this does not protect against internal network threats or authenticated users pivoting from other compromised systems.

More from same product – last 7 days

CVE-2025-48977 HIGH
8.5 May 28

Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve
CVE-2026-42782 HIGH
7.2 May 25

Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig
CVE-2026-43827 MEDIUM
5.9 May 25

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0

CVE-2026-43828 MEDIUM
5.9 May 25

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue
CVE-2026-44598 MEDIUM
5.1 May 25

With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vu

Share

CVE-2025-62188 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy