CVE-2025-62228: 
Java vulnerability analysis and mitigation

Apache Flink CDC version 3.0.0 to before 3.5.0 was vulnerable to a SQL injection attack via maliciously crafted identifiers such as database names or table names. The vulnerability was assigned CVE-2025-62228 and was disclosed on October 9, 2025 (NVD, Miggo).

The vulnerability is classified as CWE-89 (SQL Injection) with a CVSS 4.0 Base Score of 5.1 (Medium). The issue stems from improper construction of SQL queries using un-sanitized user-provided identifiers in database and table names. Multiple methods in the org.apache.flink.cdc.connectors.oceanbase.catalog.OceanBaseMySQLCatalog class were found to be vulnerable, using String.format to build SQL queries while embedding raw database and table names into the query string (Miggo).

Although the vulnerability requires an authenticated database user to exploit, it could allow attackers to manipulate SQL queries' logic or inject entirely new SQL commands through specially crafted identifiers. The vulnerability affects multiple Flink CDC connectors including Oracle, DB2, SQL Server, and MySQL connectors (Miggo).

Users are recommended to update to Flink CDC version 3.5.0 which addresses this issue by implementing proper identifier escaping and using PreparedStatement with parameter markers for DQL statements (NVD, Miggo).