High severityNVD Advisory· Published Mar 30, 2022· Updated Aug 3, 2024

Apache DolphinScheduler user registration is vulnerable to ReDoS attacks

CVE-2022-25598

Description

Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache DolphinScheduler user registration vulnerable to ReDoS; upgrade to v2.0.5 to prevent denial of service.

Vulnerability

The user registration module in Apache DolphinScheduler prior to version 2.0.5 contains a Regular Expression Denial of Service (ReDoS) flaw. The vulnerability arises from an inefficient regex pattern used during user registration input validation, which can lead to catastrophic backtracking when processing crafted input strings [1], [2].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a specially crafted registration request with a malicious payload. The regex engine will attempt to match the input, consuming excessive CPU time and potentially causing the service to become unresponsive. No special privileges or network position is required beyond network access to the registration endpoint [2].

Impact

Successful exploitation results in a denial of service (DoS) condition, impacting the availability of the Apache DolphinScheduler instance. While no data compromise or privilege escalation occurs, the service may be rendered unusable for legitimate users until restarted [2].

Mitigation

The issue is fixed in Apache DolphinScheduler version 2.0.5, released on March 30, 2022. Users are advised to upgrade immediately. No workarounds are documented [2], [3].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.dolphinscheduler:dolphinschedulerMaven	< 2.0.5	2.0.5
apache-dolphinschedulerPyPI	< 2.0.5	2.0.5

Affected products

ghsa-coords2 versions
pkg:maven/org.apache.dolphinscheduler/dolphinscheduler pkg:pypi/apache-dolphinscheduler
< 2.0.5+ 1 more
- (no CPE)range: < 2.0.5
- (no CPE)range: < 2.0.5
Apache Software Foundation/Apache DolphinSchedulerv5
Range: Apache DolphinScheduler

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-qg5x-66hp-cw5pghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-25598ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/apache-dolphinscheduler/PYSEC-2022-176.yamlghsaWEB
lists.apache.org/thread/hwnw7xr969sg5nv84wz75nfr2c76fl93ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000