Remote Code Execution Bypass in DataEase Open Source Tool

CVE-2025-57772

What is CVE-2025-57772?

CVE-2025-57772 is a vulnerability found in the DataEase open source business intelligence and data visualization tool. This specific flaw pertains to a remote code execution (RCE) bypass vulnerability in the H2 JDBC connector. Prior to version 2.10.12 of the software, the vulnerability allows an attacker to manipulate the JDBC URL when specific criteria are met. The result is that the getJdbcUrl method can return the H2 JDBC URL without undergoing necessary filtering, effectively bypassing security measures intended to safeguard against improper access. As a consequence, the threat actor can dictate the JDBC driver for the connection, which may lead to devastating effects on organizational data integrity and security.

Potential impact of CVE-2025-57772

1. Unauthorized Remote Code Execution: The vulnerability enables an attacker to execute arbitrary code on the server, which can lead to complete system compromise, allowing the malicious actor to control the affected environment.

2. Data Breach Risks: Exploitation of this flaw can result in unauthorized access to sensitive data stored within the DataEase instance. This exposure can have severe implications, particularly if personal or confidential information is involved, leading to potential compliance violations and reputational harm.

3. Potential for Malware Deployment: The ability to execute arbitrary code also opens the door for malware installation or propagation within the network, which could compromise not only the DataEase environment but also connected systems, creating an extensive attack vector.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References