CVE-2025-62228 MEDIUM

CVE-2025-62228: Apache Flink CDC, Apache Flink CDC, Apache Flink CDC, Apache Flink CDC, Apache Flink CDC: SQL injection via maliciously crafted identifiers

Vendor Apache Software Foundation

Product Apache Flink CDC

Weakness CWE-89 · SQLi

Published October 9, 2025

Last update November 4, 2025

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/R:U/V:C/RE:L/U:Amber

What the vulnerability does

Description

Apache Flink CDC version 3.4.0 was vulnerable to a SQL injection via maliciously crafted identifiers eg. crafted database name or crafted table name. Even through only the logged-in database user can trigger the attack, we recommend users update Flink CDC version to 3.5.0 which address this issue.

Key dates

Disclosure timeline

October 9, 2025 CVE published

November 4, 2025 Record updated

Identifiers

CVE CVE-2025-62228

CWE CWE-89

CVSS 5.1 / MEDIUM

Affected versions

Vendor Apache Software Foundation

Product Apache Flink CDC

Affected ≥ 3.0.0 and ≤ 3.4.0

Vendor Apache Software Foundation

Product Apache Flink CDC

Affected ≥ 3.0.0 and ≤ 3.4.0

Vendor Apache Software Foundation

Product Apache Flink CDC

Affected ≥ 3.0.0 and ≤ 3.4.0

Vendor Apache Software Foundation

Product Apache Flink CDC

Affected ≥ 3.0.0 and ≤ 3.4.0

Vendor Apache Software Foundation

Product Apache Flink CDC

Affected ≥ 3.3.0 and ≤ 3.4.0