What is the CVSS score of CVE-2025-49003?

CVE-2025-49003 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.8%.

Which versions of Java are affected by CVE-2025-49003?

DataEase versions prior to 2.10.11 contain a critical remote code execution vulnerability exploitable through Unicode character conversion in Java, enabling unauthenticated attackers to achieve…. A patch is available.

Is there a public PoC exploit available for CVE-2025-49003?

Yes, a public proof-of-concept exploit is available for CVE-2025-49003. Prioritise patching immediately. EPSS: 0.8%.

How to fix or mitigate CVE-2025-49003?

Within 24 hours: Identify all DataEase instances in your environment and document current versions; isolate any pre-2.10.11 deployments from production networks if immediate patching is not feasible. Within 7 days: upgrade all DataEase installations to version 2.10.11 or later; verify upgrades in staging environment first. Within 30 days: conduct log review for any suspicious network activity targeting DataEase instances dating back 90 days; implement network segmentation to restrict DataEase access to authorized users only.

Java CVE-2025-49003

EUVD-2025-19180 CRITICAL

Improper Neutralization of Substitution Characters (CWE-153)

2025-06-26 security-advisories@github.com

RCE Java Dataease

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 05:53 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

2.10.11

EUVD ID Assigned

Mar 15, 2026 - 23:54 euvd

EUVD-2025-19180

Analysis Generated

Mar 15, 2026 - 23:54 vuln.today

PoC Detected

Jul 09, 2025 - 18:47 vuln.today

Public exploit code

CVE Published

Jun 26, 2025 - 14:15 nvd

CRITICAL 9.8

DescriptionNVD

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, a threat actor may take advantage of a feature in Java in which the character "ı" becomes "I" when converted to uppercase, and the character "ſ" becomes "S" when converted to uppercase. A threat actor who uses a carefully crafted message that exploits this character conversion can cause remote code execution. The vulnerability has been fixed in v2.10.11. No known workarounds are available.

Analysis

Technical ContextAI

Remote code execution allows an attacker to run arbitrary commands or code on the target system over a network without prior authentication.

RemediationAI

Apply vendor patches immediately. Restrict network access to vulnerable services. Implement network segmentation and monitoring for anomalous activity.

CVE-2025-49003 vulnerability details – vuln.today

Back

Java CVE-2025-49003

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Analysis

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code