On March 7, 2025, security researchers identified a critical vulnerability in Apache Flink CDC, specifically in version 3.4.. Tracked as CVE-2025-62228, this flaw allows SQL injection through malicious database or table names if the attacker has database access with sufficient privileges. The Apache community has fixed the issue with the release of Flink CDC 3.5.. Let’s break down what happened, how attackers could exploit this, and what you should do about it.
1. What is Flink CDC?
Apache Flink CDC is a popular framework that pulls real-time change data from databases into Flink for stream processing and analytics. It handles events like row insertions, updates, or deletions using CDC (Change Data Capture) connectors for databases like MySQL, Oracle, etc.
2. What is CVE-2025-62228?
In version 3.4. of Flink CDC, user-controlled inputs such as database and table names were incorrectly handled. If an attacker could configure a database or table identifier with special SQL characters, Flink CDC would process them directly in SQL queries. This opens the door to SQL injection—one of the most dangerous vulnerabilities.
Example Scenario
Suppose you have a database user who can connect to your Flink CDC infrastructure (maybe an internal team, or a tool). If this user creates a table with a name containing SQL, for instance:
users`; DROP TABLE important_data; --
And then Flink CDC attempts to read from it with code like
String query = "SELECT * FROM " + tableName;
statement.execute(query);
The generated SQL would be
SELECT * FROM users`; DROP TABLE important_data; --
This would delete the important_data table! Ouch.
Below is a simplified Java snippet resembling what could cause trouble in Flink CDC 3.4.
// Vulnerable code in Flink CDC 3.4.
String database = userProvidedDatabaseName;
String table = userProvidedTableName;
String sql = "SELECT * FROM " + database + "." + table;
// This string is sent directly to the database!
statement.executeQuery(sql);
Here, neither database nor table are sanitized or validated, so anyone who can register a name (with proper privileges) can inject SQL code into the query.
Exploit Requirements
- The attacker must have database credentials known to Flink CDC (i.e., be a database user, not remote anonymous).
- The attacker registers/creates a database or table with a maliciously crafted name.
Suppose the attacker runs
CREATE TABLE legit_tbl; DROP TABLE customers; -- (id INT);
Flink CDC, when trying to read from this table, would craft
SELECT * FROM legit_tbl; DROP TABLE customers; --
If executed, this would drop your important customers table.
5. Fix: Version 3.5.
The Flink team recognized the problem and fixed it in Flink CDC 3.5. by properly quoting identifiers and sanitizing all inputs. The repaired code uses prepared statements or quotes identifiers, e.g.:
// Fixed code
String safeDatabase = quoteIdentifier(userProvidedDatabaseName);
String safeTable = quoteIdentifier(userProvidedTableName);
String sql = "SELECT * FROM " + safeDatabase + "." + safeTable;
statement.executeQuery(sql);
Typical quoting in Java/JDBC
private String quoteIdentifier(String identifier) {
return "" + identifier.replace("", "") + "`";
}
This makes SQL injection impossible through identifiers.
7. References
- Apache Flink CDC repository
- CVE Record: CVE-2025-62228 (MITRE) *(pending)*
- Flink CDC 3.5. Release Notes
- OWASP: SQL Injection
8. Summary
CVE-2025-62228 reminds us that even internal components with “trusted” users can be at risk. Always sanitize *all* user input, including identifiers like table and database names. If you’re running Flink CDC 3.4. or earlier, upgrade now to 3.5. to keep your data and infrastructure safe. Don’t wait for an insider or compromised account to make it an expensive lesson.
If you have questions about your Flink CDC deployment, or want to share experiences, start a discussion on GitHub.
Timeline
Published on: 10/09/2025 14:15:55 UTC
Last modified on: 12/03/2025 21:48:36 UTC