Plattform
java
Komponente
org.apache.dolphinscheduler:dolphinscheduler
Behoben in
3.2.0
3.2.0
CVE-2025-62188 describes an Information Disclosure vulnerability within Apache DolphinScheduler. This flaw allows unauthorized actors to potentially access sensitive information, such as database credentials. The vulnerability impacts versions of Apache DolphinScheduler up to and including 3.1.9. Mitigation involves upgrading to version 3.2.0 or implementing a temporary workaround by restricting exposed management endpoints.
Successful exploitation of CVE-2025-62188 could grant attackers access to critical database credentials, effectively compromising the entire DolphinScheduler deployment. This could lead to unauthorized data modification, deletion, or exfiltration. The blast radius extends to any data stored and managed by the DolphinScheduler system. While no specific real-world exploitation has been publicly reported, the potential for significant data compromise makes this a high-priority concern. The exposure of database credentials is a particularly severe outcome, enabling attackers to pivot and potentially compromise other systems connected to the database.
CVE-2025-62188 was published on 2026-04-09. Its exploitation probability is currently pending evaluation. No public proof-of-concept exploits are known at this time. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting Apache DolphinScheduler.
Organizations utilizing Apache DolphinScheduler for workflow orchestration, particularly those running versions 3.1.0 through 3.1.9, are at risk. Shared hosting environments where DolphinScheduler instances are deployed alongside other applications are also particularly vulnerable due to the potential for cross-tenant access.
• linux / server:
journalctl -u dolphinscheduler-master -g "sensitive information"• generic web:
curl -I http://<dolphinscheduler_host>/management/ # Check for exposed endpointsdisclosure
Exploit-Status
EPSS
0.01% (2% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2025-62188 is to upgrade Apache DolphinScheduler to version 3.2.0 or later. If immediate upgrading is not possible, a temporary workaround involves restricting exposed management endpoints. This can be achieved by setting the MANAGEMENTENDPOINTSWEBEXPOSUREINCLUDE environment variable to only include necessary endpoints like health, metrics, and prometheus. Ensure this variable is correctly configured and applied to the DolphinScheduler environment. After upgrading, confirm the vulnerability is resolved by attempting to access sensitive information through unauthorized channels; access should be denied.
Actualice a la versión 3.2.0 o posterior para evitar el acceso no autorizado a información sensible, incluyendo credenciales de la base de datos. Como medida temporal, restrinja el acceso a los endpoints de administración configurando la variable de entorno MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE o modificando el archivo application.yaml.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-62188 is a HIGH severity vulnerability affecting Apache DolphinScheduler versions ≤3.1.9, allowing unauthorized access to sensitive data like database credentials.
If you are running Apache DolphinScheduler versions 3.1.0 through 3.1.9, you are potentially affected by this Information Disclosure vulnerability.
Upgrade to version 3.2.0 or later. As a temporary workaround, restrict exposed management endpoints using the MANAGEMENTENDPOINTSWEBEXPOSUREINCLUDE environment variable.
As of the current date, there is no confirmed evidence of active exploitation of CVE-2025-62188.
Refer to the Apache DolphinScheduler project's official website and security announcements for the latest information regarding CVE-2025-62188.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.