CVE-2025-57773
Published: 25 August 2025
Summary
CVE-2025-57773 is a critical-severity Code Injection (CWE-94) vulnerability in Dataease Dataease. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation through patching to DataEase version 2.10.12, which fixes the unfiltered DB2 parameters.
Prevents JNDI injection attacks by validating and filtering untrusted inputs in DB2 parameters before processing.
Detects unauthorized file writes resulting from the AspectJWeaver deserialization exploit through software and file integrity verification.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
JNDI injection in DB2 parameters enables deserialization via AspectJWeaver, resulting in arbitrary file write on the DataEase server. This facilitates exploitation of a public-facing BI web application (T1190) and deployment of web shells for persistence and remote code execution (T1100).
NVD Description
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.12, because DB2 parameters are not filtered, a JNDI injection attack can be directly launched. JNDI triggers an AspectJWeaver deserialization attack, writing to various files. This…
more
vulnerability requires commons-collections 4.x and aspectjweaver-1.9.22.jar. The vulnerability has been fixed in version 2.10.12.
Deeper analysisAI
CVE-2025-57773 is a critical vulnerability in DataEase, an open source business intelligence and data visualization tool. In versions prior to 2.10.12, DB2 parameters are not properly filtered, enabling a JNDI injection attack. This injection triggers an AspectJWeaver deserialization attack, allowing arbitrary file writes. The issue, associated with CWE-94 (code injection) and CWE-502 (deserialization of untrusted data), requires the presence of commons-collections 4.x and aspectjweaver-1.9.22.jar, and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction. By injecting malicious JNDI payloads via unfiltered DB2 parameters, attackers trigger deserialization through AspectJWeaver, enabling writes to various files on the target system. This can lead to severe impacts, including high confidentiality, integrity, and availability disruptions, such as remote code execution or system compromise.
The vulnerability has been fixed in DataEase version 2.10.12. Security practitioners should upgrade to this version immediately. Relevant details are available in the project's GitHub security advisory (GHSA-7r8j-6whv-4j5p) and the fixing commit (8d04e92d44e1bac9284e9e64df5afd7f96d9373c).
Details
- CWE(s)