Platform
java
Component
org.apache.dolphinscheduler:dolphinscheduler
Fixed in
3.2.0
3.2.0
CVE-2025-62188 describes an Information Disclosure vulnerability within Apache DolphinScheduler. This flaw allows unauthorized actors to potentially access sensitive information, such as database credentials. The vulnerability impacts versions of Apache DolphinScheduler up to and including 3.1.9. Mitigation involves upgrading to version 3.2.0 or implementing a temporary workaround by restricting exposed management endpoints.
The primary impact of CVE-2025-62188 is the exposure of sensitive information to unauthorized parties. Attackers could exploit this vulnerability to gain access to database credentials, potentially leading to complete compromise of the DolphinScheduler instance and the underlying data. Successful exploitation could enable attackers to read, modify, or delete data stored within the database, disrupting operations and potentially leading to data breaches. The blast radius extends to any systems or applications that rely on the data managed by Apache DolphinScheduler.
CVE-2025-62188 was published on 2026-04-09. Currently, there is no indication of active exploitation or a public proof-of-concept. The vulnerability is not listed on the CISA KEV catalog as of this writing. The exposure of database credentials presents a significant risk, and monitoring for suspicious activity is advised.
Exploit Status
EPSS
0.01% (2% percentile)
CVSS Vector
The recommended mitigation for CVE-2025-62188 is to upgrade Apache DolphinScheduler to version 3.2.0 or later, which contains the fix. For environments where immediate upgrades are not feasible, a temporary workaround involves restricting the exposed management endpoints. This can be achieved by setting the MANAGEMENTENDPOINTSWEBEXPOSUREINCLUDE environment variable to only include necessary endpoints like health, metrics, and prometheus. This limits the attack surface. After upgrading, confirm the vulnerability is resolved by attempting to access the previously exposed endpoints and verifying they are no longer accessible without proper authentication.
Upgrade to version 3.2.0 or later to prevent unauthorized access to sensitive information, including database credentials. As a temporary workaround, restrict access to the management endpoints by configuring the MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE environment variable or modifying the application.yaml file.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-62188 is a HIGH severity vulnerability affecting Apache DolphinScheduler versions ≤3.1.9, allowing unauthorized access to sensitive data like database credentials.
If you are running Apache DolphinScheduler versions 3.1.0 through 3.1.9, you are potentially affected by this Information Disclosure vulnerability.
Upgrade to version 3.2.0 or later. As a temporary workaround, restrict exposed management endpoints using the MANAGEMENTENDPOINTSWEBEXPOSUREINCLUDE environment variable.
As of the current date, there is no confirmed evidence of active exploitation of CVE-2025-62188.
Refer to the Apache DolphinScheduler project's official website and security announcements for the latest information regarding CVE-2025-62188.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.