CVE-2025-62233 Apache DolphinScheduler: Deserialization of untrusted data in RPC

🗓️ 24 Apr 2026 10:54:55Reported by apacheType

Deserialization of untrusted data in DolphinScheduler RPC enables attacks on Master or Worker nodes; upgrade to 3.3.1.

Reporter	Title	Published	Views	Family All 12
ATTACKERKB	CVE-2025-62233	24 Apr 202610:54	–	attackerkb
Circl	CVE-2025-62233	24 Apr 202603:10	–	circl
CNNVD	Apache DolphinScheduler 代码问题漏洞	24 Apr 202600:00	–	cnnvd
CVE	CVE-2025-62233	24 Apr 202610:54	–	cve
EUVD	EUVD-2025-209572	24 Apr 202610:54	–	euvd
Github Security Blog	Apache DolphinScheduler RPC module has a Deserialization of Untrusted Data vulnerability	24 Apr 202612:30	–	github
NVD	CVE-2025-62233	24 Apr 202611:16	–	nvd
OSV	GHSA-F786-9C63-8XR8 Apache DolphinScheduler RPC module has a Deserialization of Untrusted Data vulnerability	24 Apr 202612:30	–	osv
Positive Technologies	PT-2026-34872	24 Apr 202600:00	–	ptsecurity
Snyk	Deserialization of Untrusted Data	24 Apr 202612:19	–	snyk

[
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.apache.dolphinscheduler:dolphinscheduler-extract-base",
    "product": "Apache DolphinScheduler",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "3.3.1",
        "status": "affected",
        "version": "3.2.0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
lists	www.lists.apache.org/thread/79s80h51r4z5d4l2xs5xy364rmmo1bw0

24 Apr 2026 10:54Current

EPSS0.00059

CWE-502