What is the CVSS score of EUVD-2025-16761?

EUVD-2025-16761 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of Dataease are affected by EUVD-2025-16761?

DataEase versions prior to 2.10.6 contain an authentication bypass vulnerability that allows authenticated users to read and modify arbitrary files through JDBC connections, compromising the…. A patch is available.

Is there a public PoC exploit available for EUVD-2025-16761?

Yes, a public proof-of-concept exploit is available for EUVD-2025-16761. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate EUVD-2025-16761?

Within 24 hours: Identify all DataEase deployments and document current versions in use. Within 7 days: Upgrade DataEase to version 2.10.10 or later across all production, staging, and development environments; verify upgrade completion and test BI functionality. Within 30 days: Review access logs for suspicious JDBC activity post-2025-01-01, audit user accounts with DataEase access, and implement additional network segmentation to restrict JDBC connections.

Dataease EUVD-2025-16761

| CVE-2025-48998 HIGH

SQL Injection (CWE-89)

2025-06-03 security-advisories@github.com

Authentication Bypass Dataease

8.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:45 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

2.10.10

EUVD ID Assigned

Mar 14, 2026 - 17:04 euvd

EUVD-2025-16761

Analysis Generated

Mar 14, 2026 - 17:04 vuln.today

PoC Detected

Jun 09, 2025 - 15:13 vuln.today

Public exploit code

CVE Published

Jun 03, 2025 - 19:15 nvd

HIGH 8.8

DescriptionGitHub Advisory

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, a bypass of the patch for CVE-2025-27103 allows authenticated users to read and deserialize arbitrary files through the background JDBC connection. The vulnerability has been fixed in v2.10.10. No known workarounds are available.

AnalysisAI

Critical authentication bypass vulnerability in DataEase (open-source BI/data visualization tool) affecting versions prior to 2.10.6, which allows authenticated users to read and deserialize arbitrary files through JDBC background connections. This represents a bypass of the patch for CVE-2025-27103, escalating the risk from the original vulnerability. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability, though exploitation requires valid credentials (PR:L). No public exploit code availability or active KEV listing has been confirmed, but the patch availability (v2.10.10) indicates vendor acknowledgment of active exploitation risk.

Technical ContextAI

The vulnerability exploits insecure deserialization in DataEase's JDBC connection handling layer. CWE-89 (SQL Injection) classification suggests the root cause involves improper sanitization of JDBC connection parameters or SQL query construction, allowing attackers to inject arbitrary commands through the database connection interface. The background JDBC connection mechanism appears to execute queries with insufficient validation, permitting attackers to read arbitrary files from the underlying system. This is a second-order bypass of CVE-2025-27103, indicating the initial patch failed to comprehensively address the deserialization attack surface. The vulnerability chain likely involves: (1) authenticated session establishment, (2) manipulation of JDBC connection parameters or query payloads, (3) unsafe deserialization of server responses, and (4) file system access through the database driver's capabilities.

RemediationAI

Immediate actions: (1) Upgrade DataEase to version 2.10.10 or later—this is the confirmed patched version. (2) If immediate patching is not possible, restrict JDBC connector functionality or disable background job processing until patched. (3) Implement network segmentation to limit authenticated user access to DataEase instances. (4) Review JDBC connection configurations and ensure database credentials have minimal required permissions (principle of least privilege). (5) Monitor DataEase logs for suspicious JDBC queries or file-read attempts. (6) Audit recent user activity logs to detect if the vulnerability was exploited before patching. No workarounds are available per the CVE description, so patching is mandatory. Users should also review the patch for CVE-2025-27103 to understand what was missed in the initial fix and verify the v2.10.10 patch addresses the root cause comprehensively.

EUVD-2025-16761 vulnerability details – vuln.today

Back

Dataease EUVD-2025-16761

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code