CVE-2025-48999

| EUVD-2025-16790 HIGH
2025-06-03 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Mar 14, 2026 - 17:04 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 17:04 euvd
EUVD-2025-16790
Patch Released
Mar 14, 2026 - 17:04 nvd
Patch available
PoC Detected
Jun 05, 2025 - 14:07 vuln.today
Public exploit code
CVE Published
Jun 03, 2025 - 21:15 nvd
HIGH 8.8

Tags

Authentication Bypass Dataease

Description

DataEase is an open source business intelligence and data visualization tool. A bypass of CVE-2025-46566's patch exists in versions prior to 2.10.10. In a malicious payload, `getUrlType()` retrieves `hostName`. Since the judgment statement returns false, it will not enter the if statement and will not be filtered. The payload can be directly concatenated at the replace location to construct a malicious JDBC statement. Version 2.10.10 contains a patch for the issue.

Analysis

Critical authentication bypass vulnerability in DataEase (open-source BI/data visualization tool) versions prior to 2.10.10 that allows authenticated attackers to bypass input validation filters introduced in CVE-2025-46566's patch. By crafting malicious payloads that exploit getUrlType() logic to evade hostname filtering, attackers can construct arbitrary JDBC statements, leading to complete compromise of confidentiality, integrity, and availability. This is a patch bypass vulnerability with authenticated access required but severe impact potential; patch version 2.10.10 is available.

Technical Context

DataEase is an open-source business intelligence and data visualization platform that integrates with databases via JDBC (Java Database Connectivity) connections. The vulnerability exists in the hostname validation logic used to filter and sanitize user-supplied connection parameters. The root cause (CWE-284: Improper Access Control) manifests as an incomplete fix to CVE-2025-46566—the `getUrlType()` function returns false for certain malicious payloads, causing the conditional check to fail and skip the intended filtering logic. Instead of properly validating and rejecting the malicious input, the application concatenates the unfiltered payload directly into JDBC connection strings via a `replace()` operation. This allows an authenticated user to inject arbitrary SQL or database-specific commands through crafted hostname values, bypassing the intended gating mechanism. Affected versions: DataEase < 2.10.10 (CPE: cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:* where version < 2.10.10).

Affected Products

DataEase (< 2.10.10 (all versions prior to 2.10.10))

Remediation

Download and deploy DataEase 2.10.10+ from official repository (https://github.com/dataease/dataease/releases); priority: CRITICAL - Apply immediately Workaround (Temporary): Review RBAC (Role-Based Access Control) configuration in DataEase; limit 'Create/Edit Data Sources' permissions to trusted administrative accounts only.; priority: HIGH - Implement pending patch deployment Mitigation: Deploy WAF/IDS rules to detect malformed JDBC connection strings; implement database activity monitoring (DAM) to detect injection attempts.; priority: MEDIUM - Defense-in-depth measure

Priority Score

64
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +44
POC: +20

Share

CVE-2025-48999 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy