CVE-2025-49003
Published: 26 June 2025
Summary
CVE-2025-49003 is a high-severity Improper Neutralization of Substitution Characters (CWE-153) vulnerability in Dataease Dataease. Its CVSS base score is 8.9 (High).
Operationally, ranked in the top 15.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
DataEase is an open source business intelligence and data visualization tool that was vulnerable to remote code execution prior to version 2.10.11. The flaw stems from a Java uppercase conversion behavior in which the character "ı" maps to "I" and "ſ" maps to "S"; an attacker can supply a carefully crafted input that abuses this mapping to bypass intended security checks and execute arbitrary code on the server.
An unauthenticated remote attacker can exploit the issue over the network by sending a malicious message that triggers the character conversion path, resulting in full remote code execution with impacts to confidentiality, integrity, and availability. The CVSS 4.0 score of 8.9 reflects the absence of required authentication or user interaction and the high severity of the resulting compromise.
The vulnerability is addressed in DataEase version 2.10.11 according to the published GitHub security advisory, which states that no workarounds are available. The associated EPSS score has remained flat at 0.0217 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19180
Vulnerability details
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, a threat actor may take advantage of a feature in Java in which the character "ı" becomes "I" when converted to uppercase, and the character…
more
"ſ" becomes "S" when converted to uppercase. A threat actor who uses a carefully crafted message that exploits this character conversion can cause remote code execution. The vulnerability has been fixed in v2.10.11. No known workarounds are available.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.