Base Score

HIGH8.8

CVE-2025-62228

Apache Flink CDC version 3.4.0 was vulnerable to a SQL injection via maliciously crafted identifiers eg. crafted database name or crafted table name. Even through only the logged-in database user can trigger the attack, we recommend users update Flink CDC version to 3.5.0 which address this issue.

VectorNETWORK

Published Bysecurity@apache.org

Published DateOct 09, 2025, 14:15

Affected Versions(5)

org.apache.flink:flink-cdc-pipeline-connectors(Maven)

Introduced3.0.0

Fixed3.5.0

LimitN/A

org.apache.flink:flink-connector-oracle-cdc(Maven)

Introduced3.0.0

Fixed3.5.0

LimitN/A

org.apache.flink:flink-connector-db2-cdc(Maven)

Introduced3.0.0

Fixed3.5.0

LimitN/A

org.apache.flink:flink-connector-sqlserver-cdc(Maven)

Introduced3.0.0

Fixed3.5.0

LimitN/A

org.apache.flink:flink-connector-mysql-cdc(Maven)

Introduced3.0.0

Fixed3.5.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.apache.flink:flink-cdc-pipeline-connectors(Maven)	3.0.0	3.5.0	N/A
org.apache.flink:flink-connector-oracle-cdc(Maven)	3.0.0	3.5.0	N/A
org.apache.flink:flink-connector-db2-cdc(Maven)	3.0.0	3.5.0	N/A
org.apache.flink:flink-connector-sqlserver-cdc(Maven)	3.0.0	3.5.0	N/A
org.apache.flink:flink-connector-mysql-cdc(Maven)	3.0.0	3.5.0	N/A

Weakness Type (CWE):CWE-89

CVSS Metrics

Base Score

5.1

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:C/RE:L/U:Amber

Base Severity

MEDIUM

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

NONE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

References

Base Score

HIGH8.8

Weakness Type (CWE):CWE-89

CVSS Metrics

Base Score

5.1

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:C/RE:L/U:Amber

Base Severity

MEDIUM

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

NONE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

CVE-2025-62228

VectorNETWORK

Published Bysecurity@apache.org

Published DateOct 09, 2025, 14:15

Package (Ecosystem)

Introduced

Fixed

Limit

org.apache.flink:flink-cdc-pipeline-connectors(Maven)

3.0.0

3.5.0

N/A

org.apache.flink:flink-connector-oracle-cdc(Maven)

3.0.0

3.5.0

N/A

org.apache.flink:flink-connector-db2-cdc(Maven)

3.0.0

3.5.0

N/A

org.apache.flink:flink-connector-sqlserver-cdc(Maven)

3.0.0

3.5.0

N/A

org.apache.flink:flink-connector-mysql-cdc(Maven)

3.0.0

3.5.0

N/A