Follow @Openwall on Twitter for new release announcements and other news
[<prev] [day] [month] [year] [list] 
Message-ID: <191dcdcd-6f53-63f2-9cec-c7a2c9ba42f1@apache.org>
Date: Fri, 24 Apr 2026 02:19:50 +0000
From: Wenjun Ruan <wenjun@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-62233: Apache DolphinScheduler: Deserialization of
 untrusted data in RPC 

Severity: Moderate 

Affected versions:

- Apache DolphinScheduler (org.apache.dolphinscheduler:dolphinscheduler-extract-base) 3.2.0 before 3.3.1

Description:

Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module.

This issue affects Apache DolphinScheduler: 

Version >= 3.2.0 and < 3.3.1.

Attackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest, injecting a malicious class type into it, and sending RPC requests to the DolphinScheduler Master/Worker nodes.
Users are recommended to upgrade to version [3.3.1], which fixes the issue.

Credit:

75Acol, fcgboy, ch0wn, zer0duck (finder)

References:

https://dolphinscheduler.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-62233

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.