Cyber Resilience

CVE-2025-62420

HighPublic PoCRCE

Published: 17 October 2025

Published
17 October 2025
Modified
24 October 2025
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0083 74.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-62420 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Dataease Dataease. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-62420 is a JDBC driver bypass vulnerability in DataEase, an open-source data visualization and analytics platform. The issue affects versions through 2.10.13 and resides in the H2 database connection handler, specifically the getJdbc function in H2.java. This function performs a prefix check on the jdbcUrl to verify it starts with "jdbc:h2" but then returns a separate jdbc field as the actual connection URL, allowing attackers to supply an arbitrary JDBC driver and connection string despite the initial validation.

An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting a jdbcUrl that passes the "jdbc:h2" prefix check while specifying a malicious jdbc field, the attacker can trigger arbitrary JDBC connections using custom drivers. This may lead to remote code execution, granting high-impact confidentiality, integrity, and availability effects.

The vulnerability has been fixed in DataEase version 2.10.14. No known workarounds are available. Additional details are provided in the GitHub security advisory at https://github.com/dataease/dataease/security/advisories/GHSA-7wcv-j6gc-qc7q and the patching commit at https://github.com/dataease/dataease/commit/bb320e42bf2cf862b9c4b438c1517547b53ed67b.

EU & UK References

Vulnerability details

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC driver bypass vulnerability exists in the H2 database connection handler. The getJdbc function in H2.java checks if the jdbcUrl starts with jdbc:h2 but returns a…

more

separate jdbc field as the actual connection URL. An attacker can provide a jdbcUrl that starts with jdbc:h2 while supplying a different jdbc field with an arbitrary JDBC driver and connection string. This allows an authenticated attacker to trigger arbitrary JDBC connections with malicious drivers, potentially leading to remote code execution. The vulnerability is fixed in version 2.10.14. No known workarounds exist.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The vulnerability enables authenticated low-privilege remote exploitation of a public-facing data visualization platform (DataEase) via JDBC driver bypass, leading to RCE, directly facilitating T1190 (Exploit Public-Facing Application), T1068 (Exploitation for Privilege Escalation), and T1210 (Exploitation of Remote Services).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40901Same product: Dataease Dataease
CVE-2025-58748Same product: Dataease Dataease
CVE-2025-64164Same product: Dataease Dataease
CVE-2025-58046Same product: Dataease Dataease
CVE-2025-57773Same product: Dataease Dataease
CVE-2024-57707Same product: Dataease Dataease
CVE-2025-64428Same product: Dataease Dataease
CVE-2026-32140Same product: Dataease Dataease
CVE-2024-56511Same product: Dataease Dataease
CVE-2026-33084Same product: Dataease Dataease

Affected Assets

dataease
dataease
≤ 2.10.14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Comprehensive validation of JDBC connection parameters, including both jdbcUrl prefix and jdbc field, directly prevents the driver bypass attack.

prevent

Timely flaw remediation ensures patching to DataEase version 2.10.14, which fixes the H2 getJdbc function vulnerability.

prevent

Restricts execution of unauthorized software such as arbitrary JDBC drivers loaded via the bypassed connection handler.

References