CVE-2025-62228

Apache Flink CDC version 3.0.0 to before 3.5.0 are vulnerable to a SQL injection via maliciously crafted identifiers eg. crafted database name or crafted table name. Even through only the logged-in database user can trigger the attack, users are recommended to update Flink CDC version to 3.5.0 which address this issue.

Published: Oct 9, 2025
Updated: Oct 10, 2025
CVE: CVE-2025-62228
GHSA: GHSA-wqm3-w3p6-xjgm
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
org.apache.flink / flink-cdc-pipeline-connectors	3.0.0	3.5.0
org.apache.flink / flink-connector-oracle-cdc	3.0.0	3.5.0
org.apache.flink / flink-connector-db2-cdc	3.0.0	3.5.0
org.apache.flink / flink-connector-sqlserver-cdc	3.0.0	3.5.0
org.apache.flink / flink-connector-mysql-cdc	3.0.0	3.5.0

https://github.com/apache/flink-cdc/commit/d5766187a9a4b191820e10238d4594ae665cdb89
https://github.com/apache/flink-cdc/pull/4123
https://lists.apache.org/thread/3dn0hc1wbc5sj0jbgdg33gtnwlw7qrl3

Vulnerability Database

CVE-2025-62228

Deep Security Visibility Without the Complexity