CVE-2025-64428
Published: 20 November 2025
Summary
CVE-2025-64428 is a critical-severity Injection (CWE-74) vulnerability in Dataease Dataease. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the JNDI injection vulnerability by requiring timely identification, reporting, and patching to Dataease version 2.10.17 or later.
Prevents exploitation of the JNDI injection by validating all user inputs to block malicious schemes such as iiop, corbaname, and iiopname.
Enforces boundary protection using web application firewalls or proxies to inspect and block network traffic containing JNDI injection payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-64428 is a JNDI injection vulnerability in the public-facing Dataease application, enabling unauthenticated remote code execution, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
Dataease is an open source data visualization analysis tool. Versions prior to 2.10.17 are vulnerable to JNDI injection. A blacklist was added in the patch for version 2.10.14. However, JNDI injection remains possible via the iiop, corbaname, and iiopname schemes.…
more
The vulnerability has been fixed in version 2.10.17.
Deeper analysisAI
CVE-2025-64428 is a JNDI injection vulnerability affecting Dataease, an open source data visualization analysis tool. Versions prior to 2.10.17 are vulnerable, including those after a partial patch in version 2.10.14 that introduced a blacklist. However, the blacklist does not prevent JNDI injection via the iiop, corbaname, and iiopname schemes. The issue, classified under CWE-74, has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-11-20.
An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, potentially enabling remote code execution through malicious JNDI lookups.
The GitHub security advisory (GHSA-88ph-3236-2m2h) and related commit confirm the vulnerability was fully fixed in Dataease version 2.10.17. Security practitioners should upgrade to this version or later, as the earlier 2.10.14 blacklist patch is insufficient against the specified schemes. Release notes for v2.10.17 are available on the project's GitHub repository.
Details
- CWE(s)