Deserialization Vulnerability in Apache DolphinScheduler by Apache
CVE-2025-62233

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Dolphinscheduler
Vendor: CVE Published:; 24 April 2026

What is CVE-2025-62233?

A deserialization vulnerability exists in Apache DolphinScheduler's RPC module, which could allow attackers with access to Master or Worker nodes to execute unauthorized actions. By injecting a malicious class type into a StandardRpcRequest and sending it to the nodes, the attackers might compromise system integrity. It is essential for users operating versions prior to 3.3.1 to upgrade to mitigate this risk.

Affected Version(s)

Apache DolphinScheduler 3.2.0 < 3.3.1

References

https://lists.apache.org/thread/79s80h51r4z5d4l2xs5xy364r...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Oct 9, 2025

Credit

75Acol, fcgboy, ch0wn, zer0duck

CVE-2025-62233 Data

JSON