CVE-2025-62419
BaseFortify
Publication date: 2025-10-17
Last updated on: 2025-10-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dataease | dataease | to 2.10.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in DataEase versions through 2.10.13 in the DB2 and MongoDB data source configuration handlers. Specifically, in the DB2 handler, when the extraParams field is empty, the HOSTNAME, PORT, and DATABASE values are concatenated directly into the JDBC URL without filtering out illegal parameters. This allows an attacker to inject a malicious JDBC string into the HOSTNAME field, potentially bypassing previously patched vulnerabilities.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can inject malicious JDBC strings into the HOSTNAME field, which may allow them to bypass security measures and potentially execute unauthorized actions or access data through the database connection. This could lead to data breaches or unauthorized manipulation of data within the DataEase platform.
What immediate steps should I take to mitigate this vulnerability?
Upgrade DataEase to version 2.10.14 or later, as this version contains the fix for the JDBC URL injection vulnerability. No known workarounds exist, so applying the update is the recommended immediate mitigation step.