EUVD-2025-16761CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, a bypass of the patch for CVE-2025-27103 allows authenticated users to read and deserialize arbitrary files through the background JDBC connection. The vulnerability has been fixed in v2.10.10. No known workarounds are available.
Analysis
Critical authentication bypass vulnerability in DataEase (open-source BI/data visualization tool) affecting versions prior to 2.10.6, which allows authenticated users to read and deserialize arbitrary files through JDBC background connections. This represents a bypass of the patch for CVE-2025-27103, escalating the risk from the original vulnerability. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability, though exploitation requires valid credentials (PR:L). No public exploit code availability or active KEV listing has been confirmed, but the patch availability (v2.10.10) indicates vendor acknowledgment of active exploitation risk.
Technical Context
The vulnerability exploits insecure deserialization in DataEase's JDBC connection handling layer. CWE-89 (SQL Injection) classification suggests the root cause involves improper sanitization of JDBC connection parameters or SQL query construction, allowing attackers to inject arbitrary commands through the database connection interface. The background JDBC connection mechanism appears to execute queries with insufficient validation, permitting attackers to read arbitrary files from the underlying system. This is a second-order bypass of CVE-2025-27103, indicating the initial patch failed to comprehensively address the deserialization attack surface. The vulnerability chain likely involves: (1) authenticated session establishment, (2) manipulation of JDBC connection parameters or query payloads, (3) unsafe deserialization of server responses, and (4) file system access through the database driver's capabilities.
Affected Products
DataEase versions prior to 2.10.6 are vulnerable; the fix is available in v2.10.10. CPE string would be: cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:* (versions < 2.10.6). The product is an open-source business intelligence and data visualization platform, typically deployed in enterprise analytics environments. Specific affected configurations include: (1) any DataEase instance with JDBC database connectors enabled (standard configuration), (2) instances with authenticated user accounts, and (3) deployments where the background JDBC connection service is active. Vendor advisory: DataEase project repository and security bulletins would contain official patch release notes; users should consult https://github.com/dataease/dataease or official DataEase security documentation for advisories.
Remediation
Immediate actions: (1) Upgrade DataEase to version 2.10.10 or later—this is the confirmed patched version. (2) If immediate patching is not possible, restrict JDBC connector functionality or disable background job processing until patched. (3) Implement network segmentation to limit authenticated user access to DataEase instances. (4) Review JDBC connection configurations and ensure database credentials have minimal required permissions (principle of least privilege). (5) Monitor DataEase logs for suspicious JDBC queries or file-read attempts. (6) Audit recent user activity logs to detect if the vulnerability was exploited before patching. No workarounds are available per the CVE description, so patching is mandatory. Users should also review the patch for CVE-2025-27103 to understand what was missed in the initial fix and verify the v2.10.10 patch addresses the root cause comprehensively.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today