Which versions of Dataease are affected by CVE-2025-24974?

Organizations using DataEase face moderate risk from CVE-2025-24974, a SQL injection vulnerability rated CVSS 7.3.

Is there a public PoC exploit available for CVE-2025-24974?

Yes, a public proof-of-concept exploit is available for CVE-2025-24974. Prioritise patching immediately. EPSS: 0.4%.

How to fix or mitigate CVE-2025-24974?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Validate that input sanitization is in place for all user-controlled parameters.

Dataease CVE-2025-24974

Q: What is the CVSS score of CVE-2025-24974?

CVE-2025-24974 has a CVSS 4.0 base score of 7.3 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.4%.

HIGH

SQL Injection (CWE-89)

2025-03-13 security-advisories@github.com

SQLi Dataease

7.3

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.3 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:31 vuln.today

PoC Detected

Mar 21, 2025 - 15:40 vuln.today

Public exploit code

CVE Published

Mar 13, 2025 - 17:15 nvd

HIGH 7.3

DescriptionGitHub Advisory

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, authenticated users can read and deserialize arbitrary files through the background JDBC connection. The vulnerability has been fixed in v2.10.6. No known workarounds are available.

AnalysisAI

DataEase is an open source business intelligence and data visualization tool. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, authenticated users can read and deserialize arbitrary files through the background JDBC connection. The vulnerability has been fixed in v2.10.6. No known workarounds are available. Affected products include: Dataease. Version information: version 2.10.6.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

CVE-2025-24974 vulnerability details – vuln.today

Back