Platform
java
Component
org.apache.dolphinscheduler:dolphinscheduler
Opgelost in
3.2.0
3.2.0
CVE-2025-62188 describes an Information Disclosure vulnerability within Apache DolphinScheduler. This flaw allows unauthorized actors to potentially access sensitive information, such as database credentials. The vulnerability impacts versions of Apache DolphinScheduler up to and including 3.1.9. Mitigation involves upgrading to version 3.2.0 or implementing a temporary workaround by restricting exposed management endpoints.
The primary impact of CVE-2025-62188 is the exposure of sensitive information to unauthorized parties. Attackers could exploit this vulnerability to gain access to database credentials, potentially leading to complete compromise of the DolphinScheduler instance and the underlying data. Successful exploitation could enable attackers to read, modify, or delete data stored within the database, disrupting operations and potentially leading to data breaches. The blast radius extends to any systems or applications that rely on the data managed by Apache DolphinScheduler.
CVE-2025-62188 was published on 2026-04-09. Currently, there is no indication of active exploitation or a public proof-of-concept. The vulnerability is not listed on the CISA KEV catalog as of this writing. The exposure of database credentials presents a significant risk, and monitoring for suspicious activity is advised.
Organizations utilizing Apache DolphinScheduler for workflow orchestration, particularly those running versions 3.1.0 through 3.1.9, are at risk. Shared hosting environments where DolphinScheduler instances are deployed alongside other applications are also particularly vulnerable due to the potential for cross-tenant access.
• linux / server:
journalctl -u dolphinscheduler-master -g "sensitive information"• generic web:
curl -I http://<dolphinscheduler_host>/management/ # Check for exposed endpointsdisclosure
Exploit Status
EPSS
0.01% (2% percentiel)
CVSS-vector
The recommended mitigation for CVE-2025-62188 is to upgrade Apache DolphinScheduler to version 3.2.0 or later, which contains the fix. For environments where immediate upgrades are not feasible, a temporary workaround involves restricting the exposed management endpoints. This can be achieved by setting the MANAGEMENTENDPOINTSWEBEXPOSUREINCLUDE environment variable to only include necessary endpoints like health, metrics, and prometheus. This limits the attack surface. After upgrading, confirm the vulnerability is resolved by attempting to access the previously exposed endpoints and verifying they are no longer accessible without proper authentication.
Actualice a la versión 3.2.0 o posterior para evitar el acceso no autorizado a información sensible, incluyendo credenciales de la base de datos. Como medida temporal, restrinja el acceso a los endpoints de administración configurando la variable de entorno MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE o modificando el archivo application.yaml.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-62188 is a HIGH severity vulnerability affecting Apache DolphinScheduler versions ≤3.1.9, allowing unauthorized access to sensitive data like database credentials.
If you are running Apache DolphinScheduler versions 3.1.0 through 3.1.9, you are potentially affected by this Information Disclosure vulnerability.
Upgrade to version 3.2.0 or later. As a temporary workaround, restrict exposed management endpoints using the MANAGEMENTENDPOINTSWEBEXPOSUREINCLUDE environment variable.
As of the current date, there is no confirmed evidence of active exploitation of CVE-2025-62188.
Refer to the Apache DolphinScheduler project's official website and security announcements for the latest information regarding CVE-2025-62188.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je pom.xml-bestand en we vertellen je direct of je getroffen bent.