CVE-2025-62420
Published: 17 October 2025
Summary
CVE-2025-62420 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Dataease Dataease. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Comprehensive validation of JDBC connection parameters, including both jdbcUrl prefix and jdbc field, directly prevents the driver bypass attack.
Timely flaw remediation ensures patching to DataEase version 2.10.14, which fixes the H2 getJdbc function vulnerability.
Restricts execution of unauthorized software such as arbitrary JDBC drivers loaded via the bypassed connection handler.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables authenticated low-privilege remote exploitation of a public-facing data visualization platform (DataEase) via JDBC driver bypass, leading to RCE, directly facilitating T1190 (Exploit Public-Facing Application), T1068 (Exploitation for Privilege Escalation), and T1210 (Exploitation of Remote Services).
NVD Description
DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC driver bypass vulnerability exists in the H2 database connection handler. The getJdbc function in H2.java checks if the jdbcUrl starts with jdbc:h2 but returns a…
more
separate jdbc field as the actual connection URL. An attacker can provide a jdbcUrl that starts with jdbc:h2 while supplying a different jdbc field with an arbitrary JDBC driver and connection string. This allows an authenticated attacker to trigger arbitrary JDBC connections with malicious drivers, potentially leading to remote code execution. The vulnerability is fixed in version 2.10.14. No known workarounds exist.
Deeper analysisAI
CVE-2025-62420 is a JDBC driver bypass vulnerability in DataEase, an open-source data visualization and analytics platform. The issue affects versions through 2.10.13 and resides in the H2 database connection handler, specifically the getJdbc function in H2.java. This function performs a prefix check on the jdbcUrl to verify it starts with "jdbc:h2" but then returns a separate jdbc field as the actual connection URL, allowing attackers to supply an arbitrary JDBC driver and connection string despite the initial validation.
An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting a jdbcUrl that passes the "jdbc:h2" prefix check while specifying a malicious jdbc field, the attacker can trigger arbitrary JDBC connections using custom drivers. This may lead to remote code execution, granting high-impact confidentiality, integrity, and availability effects.
The vulnerability has been fixed in DataEase version 2.10.14. No known workarounds are available. Additional details are provided in the GitHub security advisory at https://github.com/dataease/dataease/security/advisories/GHSA-7wcv-j6gc-qc7q and the patching commit at https://github.com/dataease/dataease/commit/bb320e42bf2cf862b9c4b438c1517547b53ed67b.
Details
- CWE(s)