CVE-2025-62228: 
Java vulnerability analysis and mitigation

Apache Flink CDC version 3.4.0 and earlier versions (3.0.0 through 3.4.0) were discovered to be vulnerable to SQL injection attacks. The vulnerability affects multiple CDC connectors including MySQL, SQL Server, DB2, Oracle, and OceanBase CDC connectors (Apache List). The vulnerability was discovered by researchers intSheep and Mapta/BugBunny_ai and was publicly disclosed on October 9, 2025 (NVD).

The vulnerability allows SQL injection attacks through maliciously crafted identifiers, specifically through crafted database names or table names. The vulnerability has been assigned a CVSS v4.0 base score of 5.1 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/R:U/V:C/RE:L/U:Amber. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) (NVD).

While the vulnerability requires an authenticated database user to exploit, it could potentially allow attackers to perform SQL injection attacks against affected Apache Flink CDC installations. The impact is considered medium severity due to the requirement of authenticated access (NVD).

Users are strongly recommended to update to Apache Flink CDC version 3.5.0, which contains fixes for this vulnerability. This update addresses the SQL injection vulnerability in all affected CDC connectors (Apache List).