Cyber Resilience

CVE-2025-27138

HighPublic PoC

Published: 13 March 2025

Published
13 March 2025
Modified
21 March 2025
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0060 70.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27138 is a high-severity Improper Authentication (CWE-287) vulnerability in Dataease Dataease. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2025-27138 is an authentication flaw in DataEase, an open-source business intelligence and data visualization tool. Prior to version 2.10.6, the io.dataease.auth.filter.TokenFilter class contains a vulnerability that enables unauthorized access. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-287 (Improper Authentication) and CWE-863 (Incorrect Authorization).

Remote attackers require no privileges, authentication, or user interaction to exploit this over the network with low complexity. Successful exploitation allows unauthorized access to the application, resulting in high confidentiality, integrity, and availability impacts.

The issue is fixed in DataEase version 2.10.6, with no known workarounds available. Additional details are provided in the GitHub security advisory at https://github.com/dataease/dataease/security/advisories/GHSA-533g-whf8-q637.

EU & UK References

Vulnerability details

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, there is a flaw in the authentication in the io.dataease.auth.filter.TokenFilter class, which may cause the risk of unauthorized access. The vulnerability has been fixed in…

more

v2.10.6. No known workarounds are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authentication bypass vulnerability in public-facing web application (DataEase) with no credentials required enables direct exploitation for initial access via T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-57707Same product: Dataease Dataease
CVE-2025-64428Same product: Dataease Dataease
CVE-2026-32140Same product: Dataease Dataease
CVE-2024-56511Same product: Dataease Dataease
CVE-2025-58748Same product: Dataease Dataease
CVE-2026-33084Same product: Dataease Dataease
CVE-2025-58045Same product: Dataease Dataease
CVE-2025-58046Same product: Dataease Dataease
CVE-2025-57772Same product: Dataease Dataease
CVE-2026-33083Same product: Dataease Dataease

Affected Assets

dataease
dataease
≤ 2.10.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires robust identification and authentication of users, directly addressing the improper authentication flaw (CWE-287) in the TokenFilter class that enables unauthorized access.

prevent

Mandates enforcement of approved access authorizations, countering the TokenFilter's failure to prevent unauthorized access (CWE-863).

prevent

Requires timely identification, reporting, and remediation of flaws like this authentication bypass, as fixed in DataEase v2.10.6.

References