Medium severity6.3NVD Advisory· Published Apr 24, 2026· Updated Apr 27, 2026

CVE-2025-62233

Description

Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module.

This issue affects Apache DolphinScheduler:

Version >= 3.2.0 and < 3.3.1.

Attackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest, injecting a malicious class type into it, and sending RPC requests to the DolphinScheduler Master/Worker nodes. Users are recommended to upgrade to version [3.3.1], which fixes the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.dolphinscheduler:dolphinschedulerMaven	>= 3.2.0, < 3.3.1	3.3.1
org.apache.dolphinscheduler:dolphinscheduler-rpcMaven	>= 3.2.0, < 3.3.1	3.3.1

Affected products

Apache/Dolphinscheduler
cpe:2.3:a:apache:dolphinscheduler:*:*:*:*:*:*:*:*
Range: >=3.2.0,<3.3.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2026/04/24/2nvdMailing ListThird Party AdvisoryWEB
github.com/advisories/GHSA-f786-9c63-8xr8ghsaADVISORY
lists.apache.org/thread/79s80h51r4z5d4l2xs5xy364rmmo1bw0nvdMailing ListVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2025-62233ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.410
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000