CVE-2025-64164
Published: 06 November 2025
Summary
CVE-2025-64164 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Dataease Dataease. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely patching of the JNDI injection flaw fixed in DataEase version 2.10.15.
Requires input validation and error handling for JDBC connection parameters to block malicious JNDI payloads.
Restricts JDBC connection inputs to authorized types, formats, and values, limiting opportunities for JNDI injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
JNDI injection vulnerability in DataEase JDBC Oracle connection handling enables remote code execution by exploiting the public-facing web application when processing malicious JDBC URLs pointing to attacker-controlled LDAP servers.
NVD Description
Dataease is an open source data visualization analysis tool. In versions 2.10.14 and below, DataEase did not properly filter when establishing JDBC connections to Oracle, resulting in a risk of JNDI injection (Java Naming and Directory Interface injection). This issue…
more
is fixed in version 2.10.15.
Deeper analysisAI
CVE-2025-64164 is a Java Naming and Directory Interface (JNDI) injection vulnerability in DataEase, an open source data visualization analysis tool. The flaw affects versions 2.10.14 and below, stemming from improper input filtering when establishing JDBC connections to Oracle databases. Published on 2025-11-06, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-502.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By supplying malicious input during the JDBC connection process to Oracle, they can trigger JNDI injection, enabling high-impact compromise of confidentiality, integrity, and availability on the affected DataEase instance.
The vulnerability is fixed in DataEase version 2.10.15. Mitigation involves upgrading to this patched release. Key resources include the fixing commit at https://github.com/dataease/dataease/commit/7b68eb3dfccbbd12ec977e6320dbd3e32a7bbfe6, the v2.10.15 release notes at https://github.com/dataease/dataease/releases/tag/v2.10.15, and the GitHub security advisory at https://github.com/dataease/dataease/security/advisories/GHSA-q754-4pc2-wjqw.
Details
- CWE(s)