CVE-2025-70828
Remote Code Execution via JDBC URL in Datart v1.0.0-rc
Publication date: 2026-02-17
Last updated on: 2026-04-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| running-elephant | datart | 1.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-70828 is a vulnerability in Datart version 1.0.0-rc.3 related to improper input validation of the JDBC URL parameter during data source configuration.
An authenticated attacker with data source configuration privileges can inject malicious parameters into the JDBC connection string, such as `allowLoadLocalInfile=true`.
By directing the JDBC URL to connect to a rogue MySQL server controlled by the attacker, the attacker exploits the LOAD DATA LOCAL INFILE feature to cause the Datart server to send local files from its filesystem (like `/etc/passwd`, configuration files, or source code) to the attacker.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary file disclosure, exposing sensitive files on the Datart server to an attacker.
The exposure of sensitive information such as configuration files, source code, or system files can result in further server compromise or additional attacks.
Overall, the impact is considered high severity due to the potential for significant data leakage and system compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for suspicious POST requests to the Datart server's `/api/v1/data-provider/test` endpoint that include JDBC URLs with parameters such as `allowLoadLocalInfile=true`, `allowUrlInLocalInfile=true`, and unusually high `maxAllowedPacket` values."}, {'type': 'paragraph', 'content': 'You can look for signs of exploitation by inspecting web server logs or network traffic for these specific patterns in the JSON payload.'}, {'type': 'paragraph', 'content': 'Example commands to detect potential exploitation attempts include:'}, {'type': 'list_item', 'content': "Using grep on server logs to find suspicious JDBC URLs: `grep -i 'allowLoadLocalInfile=true' /path/to/datart/logs/*`"}, {'type': 'list_item', 'content': 'Using tcpdump or Wireshark to filter HTTP POST requests to `/api/v1/data-provider/test` endpoint and inspect payloads for JDBC URL parameters.'}, {'type': 'list_item', 'content': 'Checking for unusual MySQL connection attempts or connections to unknown MySQL servers from the Datart server.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling the ability to configure JDBC URLs with parameters that enable `LOAD DATA LOCAL INFILE` features, such as `allowLoadLocalInfile=true`.
Ensure that only trusted users have data source configuration privileges to prevent attackers from injecting malicious JDBC URLs.
Monitor and block outgoing connections from the Datart server to untrusted or unknown MySQL servers to prevent data exfiltration.
Apply any available patches or updates from the Datart project that address this vulnerability once released.