Scan free
HIGHCVE-2025-62188CVSS 7.5

CVE-2025-62188: Information Disclosure in Apache DolphinScheduler

Platform

java

Component

org.apache.dolphinscheduler:dolphinscheduler

Fixed in

3.2.0

3.2.0

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-62188 describes an Information Disclosure vulnerability within Apache DolphinScheduler. This flaw allows unauthorized actors to potentially access sensitive information, such as database credentials. The vulnerability impacts versions of Apache DolphinScheduler up to and including 3.1.9. Mitigation involves upgrading to version 3.2.0 or implementing a temporary workaround by restricting exposed management endpoints.

Java / Maven

Detect this CVE in your project

Upload your pom.xml file and we'll tell you instantly if you're affected.

Upload pom.xmlSupported formats: pom.xml · build.gradle

Impact and Attack Scenarios

The primary impact of CVE-2025-62188 is the exposure of sensitive information to unauthorized parties. Attackers could exploit this vulnerability to gain access to database credentials, potentially leading to complete compromise of the DolphinScheduler instance and the underlying data. Successful exploitation could enable attackers to read, modify, or delete data stored within the database, disrupting operations and potentially leading to data breaches. The blast radius extends to any systems or applications that rely on the data managed by Apache DolphinScheduler.

Exploitation Context

CVE-2025-62188 was published on 2026-04-09. Currently, there is no indication of active exploitation or a public proof-of-concept. The vulnerability is not listed on the CISA KEV catalog as of this writing. The exposure of database credentials presents a significant risk, and monitoring for suspicious activity is advised.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.01% (2% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N7.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentorg.apache.dolphinscheduler:dolphinscheduler
Vendorosv
Affected rangeFixed in
3.1.0 – 3.2.03.2.0
3.1.03.2.0

Weakness Classification (CWE)

CWE-200

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The recommended mitigation for CVE-2025-62188 is to upgrade Apache DolphinScheduler to version 3.2.0 or later, which contains the fix. For environments where immediate upgrades are not feasible, a temporary workaround involves restricting the exposed management endpoints. This can be achieved by setting the MANAGEMENTENDPOINTSWEBEXPOSUREINCLUDE environment variable to only include necessary endpoints like health, metrics, and prometheus. This limits the attack surface. After upgrading, confirm the vulnerability is resolved by attempting to access the previously exposed endpoints and verifying they are no longer accessible without proper authentication.

How to fix

Upgrade to version 3.2.0 or later to prevent unauthorized access to sensitive information, including database credentials. As a temporary workaround, restrict access to the management endpoints by configuring the MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE environment variable or modifying the application.yaml file.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-62188 — Information Disclosure in Apache DolphinScheduler?

CVE-2025-62188 is a HIGH severity vulnerability affecting Apache DolphinScheduler versions ≤3.1.9, allowing unauthorized access to sensitive data like database credentials.

Am I affected by CVE-2025-62188 in Apache DolphinScheduler?

If you are running Apache DolphinScheduler versions 3.1.0 through 3.1.9, you are potentially affected by this Information Disclosure vulnerability.

How do I fix CVE-2025-62188 in Apache DolphinScheduler?

Upgrade to version 3.2.0 or later. As a temporary workaround, restrict exposed management endpoints using the MANAGEMENTENDPOINTSWEBEXPOSUREINCLUDE environment variable.

Is CVE-2025-62188 being actively exploited?

As of the current date, there is no confirmed evidence of active exploitation of CVE-2025-62188.

Where can I find the official Apache DolphinScheduler advisory for CVE-2025-62188?

Refer to the Apache DolphinScheduler project's official website and security announcements for the latest information regarding CVE-2025-62188.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs