Apache DolphinScheduler CVE-2025-62233

| EUVD-2025-209572 MEDIUM
Deserialization of Untrusted Data (CWE-502)
2026-04-24 apache GHSA-f786-9c63-8xr8
Apache Deserialization Apache Dolphinscheduler
6.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Apr 24, 2026 - 17:22 vuln.today
CVSS changed
Apr 24, 2026 - 17:22 NVD
6.3 (MEDIUM)
Patch available
Apr 24, 2026 - 12:16 EUVD

DescriptionNVD

Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module.

This issue affects Apache DolphinScheduler:

Version >= 3.2.0 and < 3.3.1.

Attackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest, injecting a malicious class type into it, and sending RPC requests to the DolphinScheduler Master/Worker nodes. Users are recommended to upgrade to version [3.3.1], which fixes the issue.

AnalysisAI

Unsafe deserialization in Apache DolphinScheduler RPC module (versions 3.2.0 to 3.3.0) allows authenticated network attackers to achieve remote code execution by injecting malicious class types into StandardRpcRequest messages sent to Master or Worker nodes. The vulnerability requires network access and valid credentials but carries moderate CVSS (6.3) with very low EPSS exploitation probability (0.02%), suggesting limited real-world weaponization despite the dangerous vulnerability class.

Technical ContextAI

Apache DolphinScheduler is a distributed workflow scheduler that uses an RPC module for inter-node communication between Master and Worker components. The vulnerability stems from CWE-502 (Deserialization of Untrusted Data), a class 1 weakness where the RPC module deserializes arbitrary Java objects from network messages without proper validation. An attacker crafting a malicious StandardRpcRequest can inject a hostile class type that executes arbitrary code during deserialization. This affects CPE cpe:2.3:a:apache_software_foundation:apache_dolphinscheduler:*:*:*:*:*:*:*:* for versions 3.2.0 through 3.3.0. The RPC communication layer is a core architectural component used for task distribution and cluster coordination.

RemediationAI

Upgrade to Apache DolphinScheduler version 3.3.1 or later immediately, as confirmed by vendor advisory at https://lists.apache.org/thread/79s80h51r4z5d4l2xs5xy364rmmo1bw0. No workarounds are documented; patching is the primary remediation. Organizations unable to patch immediately should implement network-level controls: restrict RPC communication (typically ports 50010-50015 for Master/Worker) to trusted internal networks only, disable RPC access from untrusted sources, and enforce strong authentication and authorization on cluster access. Monitor RPC traffic for suspicious StandardRpcRequest messages or deserialization errors. Disable unused RPC features if supported by configuration. Test the upgrade in a non-production environment first, as DolphinScheduler RPC is critical to cluster operation.

Share

CVE-2025-62233 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy