CVE-2025-62419
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-62419, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-17

Last updated on: 2025-10-24

Assigner: GitHub, Inc.

Description

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC URL injection vulnerability exists in the DB2 and MongoDB data source configuration handlers. In the DB2 data source handler, when the extraParams field is empty, the HOSTNAME, PORT, and DATABASE values are directly concatenated into the JDBC URL without filtering illegal parameters. This allows an attacker to inject a malicious JDBC string into the HOSTNAME field to bypass previously patched vulnerabilities CVE-2025-57773 and CVE-2025-58045. The vulnerability is fixed in version 2.10.14. No known workarounds exist.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-17
Last Modified
2025-10-24
Generated
2026-07-06
AI Q&A
2025-10-17
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
dataease dataease to 2.10.14 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in DataEase versions through 2.10.13 in the DB2 and MongoDB data source configuration handlers. Specifically, in the DB2 handler, when the extraParams field is empty, the HOSTNAME, PORT, and DATABASE values are concatenated directly into the JDBC URL without filtering out illegal parameters. This allows an attacker to inject a malicious JDBC string into the HOSTNAME field, potentially bypassing previously patched vulnerabilities.

Impact Analysis

An attacker exploiting this vulnerability can inject malicious JDBC strings into the HOSTNAME field, which may allow them to bypass security measures and potentially execute unauthorized actions or access data through the database connection. This could lead to data breaches or unauthorized manipulation of data within the DataEase platform.

Mitigation Strategies

Upgrade DataEase to version 2.10.14 or later, as this version contains the fix for the JDBC URL injection vulnerability. No known workarounds exist, so applying the update is the recommended immediate mitigation step.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62419. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart