CVE-2025-58748
Published: 15 September 2025
Summary
CVE-2025-58748 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Dataease Dataease. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of untrusted inputs like JDBC URLs to ensure they conform to expected formats such as 'jdbc:h2', preventing driver substitution and malicious XML loading.
Requires timely flaw remediation through patching, such as updating Dataease to version 2.10.13, to address the specific H2 validation vulnerability.
Verifies integrity of software components and dynamically loaded resources like Spring ApplicationContext XML to block or detect malicious code execution from deserialization.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via malicious JDBC config on public-facing Dataease instance (CWE-502 deserialization) matches T1190 Exploit Public-Facing Application.
NVD Description
Dataease is an open source data analytics and visualization platform. In Dataease versions up to 2.10.12 the H2 data source implementation (H2.java) does not verify that a provided JDBC URL starts with jdbc:h2. This lack of validation allows a crafted…
more
JDBC configuration that substitutes the Amazon Redshift driver and leverages the socketFactory and socketFactoryArg parameters to invoke org.springframework.context.support.FileSystemXmlApplicationContext or ClassPathXmlApplicationContext with an attacker‑controlled remote XML resource, resulting in remote code execution. Versions up to and including 2.10.12 are affected. The issue is fixed in version 2.10.13. Updating to version 2.10.13 or later is the recommended remediation. No known workarounds exist.
Deeper analysisAI
CVE-2025-58748 is a critical remote code execution vulnerability in Dataease, an open source data analytics and visualization platform. The issue resides in the H2 data source implementation (H2.java) in versions up to and including 2.10.12, where the code fails to validate that a provided JDBC URL begins with "jdbc:h2". This flaw enables attackers to supply a malicious JDBC configuration that impersonates the Amazon Redshift driver, exploiting the socketFactory and socketFactoryArg parameters to load org.springframework.context.support.FileSystemXmlApplicationContext or ClassPathXmlApplicationContext with a remote, attacker-controlled XML resource.
Attackers require network access to a vulnerable Dataease instance and the ability to submit a crafted data source configuration, with no privileges, user interaction, or special complexity needed, as indicated by the CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation grants remote code execution, allowing full compromise of confidentiality, integrity, and availability on the affected system.
The vulnerability, classified under CWE-502 (Deserialization of Untrusted Data), has been addressed in Dataease version 2.10.13. Security advisories recommend immediate updating to 2.10.13 or later, with no known workarounds available. Relevant details are documented in the project's GitHub security advisory (GHSA-23qw-9qrh-9rr8) and the fixing commit (23a45e72a7abc37d5680b0a7cf691b8df378d4ef).
Details
- CWE(s)