CVE-2025-58045
Published: 15 September 2025
Summary
CVE-2025-58045 is a high-severity SSRF (CWE-918) vulnerability in Dataease Dataease. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Dataease, an open source data analytics and visualization platform, is affected by an incomplete input filter in versions up to 2.10.12. A prior patch intended to block DB2 JDBC deserialization remote code execution only blacklisted the rmi parameter in connection strings, leaving the ldap parameter unfiltered and permitting server-side request forgery (SSRF) via CWE-918.
An authenticated attacker with the ability to supply a crafted DB2 JDBC connection string can trigger SSRF against internal or external resources. Although modern Java releases disable ldap deserialization by default and thereby prevent remote code execution, the SSRF path remains usable for reconnaissance or abuse of server-side network access.
The issue is resolved in version 2.10.13. The project’s security advisory and associated commit recommend upgrading to 2.10.13 or later; no alternative workarounds are documented. The EPSS score has remained flat at 0.0254 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-29209
Vulnerability details
Dataease is an open source data analytics and visualization platform. In Dataease versions up to 2.10.12, the patch introduced to mitigate DB2 JDBC deserialization remote code execution attacks only blacklisted the rmi parameter. The ldap parameter in the DB2 JDBC…
more
connection string was not filtered, allowing attackers to exploit the DB2 JDBC connection string to trigger server-side request forgery (SSRF). In higher versions of Java, ldap deserialization (autoDeserialize) is disabled by default, preventing remote code execution, but SSRF remains exploitable. Versions up to 2.10.12 are affected. The issue is fixed in version 2.10.13. Updating to 2.10.13 or later is recommended. No known workarounds are documented aside from upgrading.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of public-facing Dataease app via incomplete JDBC connection string validation enabling SSRF.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates validation of information inputs like DB2 JDBC connection strings to block unfiltered 'ldap' parameters enabling SSRF.
Requires timely remediation of flaws such as the incomplete patch in Dataease up to 2.10.12 by applying updates like version 2.10.13.
Boundary protections monitor and control outbound communications to mitigate SSRF requests triggered by malicious JDBC connection strings.