CVE-2025-62188
Published: 09 April 2026
Summary
CVE-2025-62188 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Apache Dolphinscheduler. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Prohibits or restricts nonessential management endpoints that expose sensitive information such as database credentials, directly aligning with the workaround to limit exposure to health, metrics, and prometheus.
Enforces secure configuration settings for the application to restrict exposed web management endpoints, preventing unauthorized access to sensitive database credentials.
Protects confidentiality of sensitive information accessible via public network interfaces like unauthenticated management endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly exposes database credentials via unauthenticated public management endpoints (CWE-200), enabling T1190 for remote exploitation and T1552 for unsecured credential access.
NVD Description
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler. This vulnerability may allow unauthorized actors to access sensitive information, including database credentials. This issue affects Apache DolphinScheduler versions 3.1.*. Users are recommended to upgrade to:…
more
* version ≥ 3.2.0 if using 3.1.x As a temporary workaround, users who cannot upgrade immediately may restrict the exposed management endpoints by setting the following environment variable: ``` MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus ``` Alternatively, add the following configuration to the application.yaml file: ``` management: endpoints: web: exposure: include: health,metrics,prometheus ``` This issue has been reported as CVE-2023-48796: https://cveprocess.apache.org/cve5/CVE-2023-48796
Deeper analysisAI
CVE-2025-62188 is an Exposure of Sensitive Information to an Unauthorized Actor vulnerability (CWE-200) in Apache DolphinScheduler, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). It affects versions 3.1.*, where sensitive information, including database credentials, is exposed through management endpoints.
Remote attackers with network access can exploit this vulnerability without authentication, privileges, or user interaction. Successful exploitation allows them to retrieve high-confidentiality data such as database credentials, potentially enabling further compromise of connected systems.
Apache advisories recommend upgrading to version 3.2.0 or later for users on 3.1.x. As a temporary workaround, restrict exposed management endpoints by setting the environment variable MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus, or by adding the following to application.yaml: management: endpoints: web: exposure: include: health,metrics,prometheus.
This issue has also been reported as CVE-2023-48796, with details available at https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo and https://www.cve.org/CVERecord?id=CVE-2023-48796.
Details
- CWE(s)