Code Injection Vulnerability in Progress DataDirect JDBC Drivers
CVE-2025-10702

8.6HIGH

Key Information:

Vendor: Progress
Status: Datadirect Connect For Jdbc For Amazon Redshift; Datadirect Connect For Jdbc For Apache Cassandra; Datadirect Connect For Jdbc For Hive; Datadirect Connect For Jdbc For Apache Impala
Vendor: CVE Published:; 19 November 2025

What is CVE-2025-10702?

A vulnerability in Progress DataDirect JDBC drivers allows for remote code inclusion due to improper handling of the SpyAttributes connection option. Attackers could exploit this flaw through an undocumented syntax, leading to the execution of arbitrary classes and constructors. This potentially impacts numerous applications that rely on these JDBC drivers for database connectivity. Users are advised to upgrade their drivers to the latest patched versions to safeguard against such exploits.

Affected Version(s)

DataDirect Connect for JDBC Autonomous REST Connector 0 <= 6.0.1.006961

DataDirect Connect for JDBC for Amazon Redshift 0 <= 6.0.0.001392

DataDirect Connect for JDBC for Apache Cassandra 0 <= 6.0.0.000805

References

https://community.progress.com/s/article/Progress-DataDir...

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 19, 2025
Vulnerability Reserved
Sep 18, 2025

Credit

Brecht Snijders of Triskele Labs

JSON