GHSA-wqm3-w3p6-xjgm

Source

https://github.com/advisories/GHSA-wqm3-w3p6-xjgm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wqm3-w3p6-xjgm/GHSA-wqm3-w3p6-xjgm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wqm3-w3p6-xjgm

Aliases

CVE-2025-62228

Published

2025-10-09T15:31:03Z

Modified

2025-11-05T20:52:29.216256Z

Severity

5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L CVSS Calculator

Summary

Apache Flink CDC is vulnerable to SQL Injection through maliciously crafted identifiers

Details

Apache Flink CDC version 3.0.0 to before 3.5.0 are vulnerable to a SQL injection via maliciously crafted identifiers eg. crafted database name or crafted table name. Even through only the logged-in database user can trigger the attack, users are recommended to update Flink CDC version to 3.5.0 which address this issue.

Database specific

{
    "github_reviewed_at": "2025-10-09T20:53:40Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-89"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2025-10-09T14:15:55Z"
}

References

Affected packages

Maven

org.apache.flink:flink-cdc-pipeline-connectors

Package

Name: org.apache.flink:flink-cdc-pipeline-connectors; View open source insights on deps.dev
Purl: pkg:maven/org.apache.flink/flink-cdc-pipeline-connectors

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.5.0

Affected versions

3.*

3.1.0

3.1.1

3.2.0

3.2.1

3.3.0

3.4.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wqm3-w3p6-xjgm/GHSA-wqm3-w3p6-xjgm.json"

org.apache.flink:flink-connector-oracle-cdc

Package

Name: org.apache.flink:flink-connector-oracle-cdc; View open source insights on deps.dev
Purl: pkg:maven/org.apache.flink/flink-connector-oracle-cdc

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.5.0

Affected versions

3.*

3.1.0

3.1.1

3.2.0

3.2.1

3.3.0

3.4.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wqm3-w3p6-xjgm/GHSA-wqm3-w3p6-xjgm.json"

org.apache.flink:flink-connector-db2-cdc

Package

Name: org.apache.flink:flink-connector-db2-cdc; View open source insights on deps.dev
Purl: pkg:maven/org.apache.flink/flink-connector-db2-cdc

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.5.0

Affected versions

3.*

3.1.0

3.1.1

3.2.0

3.2.1

3.3.0

3.4.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wqm3-w3p6-xjgm/GHSA-wqm3-w3p6-xjgm.json"

org.apache.flink:flink-connector-sqlserver-cdc

Package

Name: org.apache.flink:flink-connector-sqlserver-cdc; View open source insights on deps.dev
Purl: pkg:maven/org.apache.flink/flink-connector-sqlserver-cdc

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.5.0

Affected versions

3.*

3.1.0

3.1.1

3.2.0

3.2.1

3.3.0

3.4.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wqm3-w3p6-xjgm/GHSA-wqm3-w3p6-xjgm.json"

org.apache.flink:flink-connector-mysql-cdc

Package

Name: org.apache.flink:flink-connector-mysql-cdc; View open source insights on deps.dev
Purl: pkg:maven/org.apache.flink/flink-connector-mysql-cdc

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.5.0

Affected versions

3.*

3.1.0

3.1.1

3.2.0

3.2.1

3.3.0

3.4.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wqm3-w3p6-xjgm/GHSA-wqm3-w3p6-xjgm.json"