Apache DolphinScheduler: RCE by arbitrary js execution
Description
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed javascript to be executed on the server. If you are using the switch task plugin, please upgrade to version 3.2.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated user in Apache DolphinScheduler can execute arbitrary unsandboxed JavaScript on the server via improper input validation in the switch task plugin, leading to remote code execution (RCE).
Overview
CVE-2024-29831 is an improper input validation vulnerability in Apache DolphinScheduler that allows remote code execution (RCE). The flaw resides in the switch task plugin, where an authenticated user can inject and execute arbitrary, unsandboxed JavaScript on the server. This stems from insufficient sanitization or validation of user-supplied input within the switch task workflow [1][3].
Exploitation
An attacker must first gain authentication to the DolphinScheduler web interface. No special privileges beyond a standard authenticated session are required. The switch task plugin, a built-in component for conditional branching in workflows, accepts user-controlled input that is passed to a JavaScript engine without sandboxing. By crafting a malicious switch condition, an authenticated user can achieve arbitrary JavaScript execution on the server side [3]. This is a classic injection attack where user input is treated as code.
Impact
Successful exploitation grants the attacker the ability to execute arbitrary JavaScript code in the server's runtime context. This can be leveraged to perform further attacks such as data exfiltration, lateral movement, privilege escalation, or complete compromise of the DolphinScheduler instance. The vulnerability is rated as moderate severity, but it enables full RCE, making it highly dangerous in production environments [1][3].
Mitigation
The issue is patched in DolphinScheduler version 3.2.2. Users running versions through 3.2.1 who utilize the switch task plugin are strongly advised to upgrade immediately. No workarounds have been provided by the vendor [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dolphinscheduler:dolphinschedulerMaven | < 3.2.2 | 3.2.2 |
Affected products
2- Apache Software Foundation/Apache DolphinSchedulerv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-m9q4-p56m-mc6qghsaADVISORY
- lists.apache.org/thread/x1ch0x5om3srtbnp7rtsvdszho3mdrq0ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-29831ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/08/09/6ghsaWEB
News mentions
0No linked articles in our index yet.