CVE-2022-25598 — Uncontrolled Resource Consumption in Apache DolphinScheduler

Description

Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher.

How to fix CVE-2022-25598

To remediate CVE-2022-25598, upgrade the affected package to a fixed version below.

Maven/org.apache.dolphinscheduler:dolphinscheduler—upgrade to 2.0.5 or later
—upgrade to 2.0.5 or later
—upgrade to 2.0.5 or later

Is CVE-2022-25598 being exploited?

Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 2.0.5
from 0, < 2.0.5
from 0, < 2.0.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (5)

ADVISORYgithub.com/advisories/GHSA-qg5x-66hp-cw5p
ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-25598
PATCHgithub.com/apache/dolphinscheduler
WEBgithub.com/pypa/advisory-database/tree/main/vulns/apache-dolphinscheduler/PYSEC-2022-176.yaml