Deserialization Vulnerability in Apache DolphinScheduler RPC (3.2.0-<3.3.1)
CVE-2025-62233 Published on April 24, 2026

Apache DolphinScheduler: Deserialization of untrusted data in RPC
Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module. This issue affects Apache DolphinScheduler:  Version >= 3.2.0 and < 3.3.1. Attackers who can access the Master or Worker nodes can compromise the system by creating a StandardRpcRequest, injecting a malicious class type into it, and sending RPC requests to the DolphinScheduler Master/Worker nodes. Users are recommended to upgrade to version [3.3.1], which fixes the issue.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2025-62233 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
LOW

Weakness Type

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2025-62233 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.


Products Associated with CVE-2025-62233

Want to know whenever a new CVE is published for Apache DolphinScheduler? stack.watch will email you.

Apache DolphinScheduler
 

Affected Versions

Apache Software Foundation Apache DolphinScheduler: