CVE-2025-62419
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-17

Last updated on: 2025-10-24

Assigner: GitHub, Inc.

Description
DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC URL injection vulnerability exists in the DB2 and MongoDB data source configuration handlers. In the DB2 data source handler, when the extraParams field is empty, the HOSTNAME, PORT, and DATABASE values are directly concatenated into the JDBC URL without filtering illegal parameters. This allows an attacker to inject a malicious JDBC string into the HOSTNAME field to bypass previously patched vulnerabilities CVE-2025-57773 and CVE-2025-58045. The vulnerability is fixed in version 2.10.14. No known workarounds exist.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-17
Last Modified
2025-10-24
Generated
2026-06-16
AI Q&A
2025-10-17
EPSS Evaluated
2026-06-14
NVD
CVE-2025-62419
EUVD
EUVD-2025-34919
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dataease dataease to 2.10.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in DataEase versions through 2.10.13 in the DB2 and MongoDB data source configuration handlers. Specifically, in the DB2 handler, when the extraParams field is empty, the HOSTNAME, PORT, and DATABASE values are concatenated directly into the JDBC URL without filtering out illegal parameters. This allows an attacker to inject a malicious JDBC string into the HOSTNAME field, potentially bypassing previously patched vulnerabilities.

Impact Analysis

An attacker exploiting this vulnerability can inject malicious JDBC strings into the HOSTNAME field, which may allow them to bypass security measures and potentially execute unauthorized actions or access data through the database connection. This could lead to data breaches or unauthorized manipulation of data within the DataEase platform.

Mitigation Strategies

Upgrade DataEase to version 2.10.14 or later, as this version contains the fix for the JDBC URL injection vulnerability. No known workarounds exist, so applying the update is the recommended immediate mitigation step.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62419. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart