Deserialization Vulnerability in Apache DolphinScheduler by Apache
CVE-2025-62233

6.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Dolphinscheduler
Vendor: CVE Published:; 24 April 2026

What is CVE-2025-62233?

A deserialization vulnerability exists in Apache DolphinScheduler's RPC module, which could allow attackers with access to Master or Worker nodes to execute unauthorized actions. By injecting a malicious class type into a StandardRpcRequest and sending it to the nodes, the attackers might compromise system integrity. It is essential for users operating versions prior to 3.3.1 to upgrade to mitigate this risk.

Affected Version(s)

Apache DolphinScheduler 3.2.0 < 3.3.1

References

https://lists.apache.org/thread/79s80h51r4z5d4l2xs5xy364r...

vendor-advisory

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Oct 9, 2025

Credit

75Acol, fcgboy, ch0wn, zer0duck

CVE-2025-62233 Data

JSON