CVE-2025-62228: Apache Flink CDC is vulnerable to SQL Injection through maliciously crafted identifiers

October 9, 2025

Apache Flink CDC version 3.0.0 to before 3.5.0 are vulnerable to a SQL injection via maliciously crafted identifiers eg. crafted database name or crafted table name. Even through only the logged-in database user can trigger the attack, users are recommended to update Flink CDC version to 3.5.0 which address this issue.

References

github.com/advisories/GHSA-wqm3-w3p6-xjgm
github.com/apache/flink-cdc
github.com/apache/flink-cdc/commit/d5766187a9a4b191820e10238d4594ae665cdb89
github.com/apache/flink-cdc/pull/4123
lists.apache.org/thread/3dn0hc1wbc5sj0jbgdg33gtnwlw7qrl3
nvd.nist.gov/vuln/detail/CVE-2025-62228

Code Behaviors & Features

Detect and mitigate CVE-2025-62228 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →