CVE-2025-57772
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-25

Last updated on: 2025-09-03

Assigner: GitHub, Inc.

Description
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.12, there is a H2 JDBC RCE bypass in DataEase. If the JDBC URL meets criteria, the getJdbcUrl method is returned, which acts as the getter for the JdbcUrl parameter provided. This bypasses H2's filtering logic and returns the H2 JDBC URL, allowing the "driver":"org.h2.Driver" to specify the H2 driver for the JDBC connection. The vulnerability has been fixed in version 2.10.12.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-25
Last Modified
2025-09-03
Generated
2026-06-16
AI Q&A
2025-08-26
EPSS Evaluated
2026-06-14
NVD
CVE-2025-57772
EUVD
EUVD-2025-25711
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dataease dataease to 2.10.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Remote Code Execution (RCE) bypass in DataEase versions prior to 2.10.12. It occurs because the getJdbcUrl method returns the H2 JDBC URL if the JDBC URL meets certain criteria, bypassing H2's filtering logic. This allows an attacker to specify the H2 driver for the JDBC connection, potentially enabling execution of arbitrary code.

Impact Analysis

The vulnerability can allow an attacker to execute arbitrary code remotely on the system running DataEase by exploiting the JDBC URL handling. This can lead to unauthorized access, data compromise, or control over the affected system.

Mitigation Strategies

Upgrade DataEase to version 2.10.12 or later, as this version contains the fix for the H2 JDBC RCE bypass vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-57772. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart