JDBC URL Injection Vulnerability in DataEase by DataEase Technologies
CVE-2025-62419

8.2HIGH

Key Information:

Vendor: Dataease
Status: Dataease
Vendor: CVE Published:; 17 October 2025

What is CVE-2025-62419?

DataEase, a data visualization and analytics platform, is susceptible to a JDBC URL injection vulnerability in its DB2 and MongoDB data source configuration handlers. In versions prior to 2.10.14, if the extraParams field is left empty, critical parameters such as HOSTNAME, PORT, and DATABASE are concatenated into the JDBC URL without proper sanitization. This oversight allows attackers to inject harmful JDBC strings into the HOSTNAME field, posing a risk of bypassing previous security patches. The vulnerability affects several versions of DataEase and has no known workarounds.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

dataease < 2.10.14

References

https://github.com/dataease/dataease/security/advisories/...

x_refsource_CONFIRM

https://github.com/dataease/dataease/commit/bb320e42bf2cf...

x_refsource_MISC

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Oct 17, 2025
Vulnerability Reserved
Oct 13, 2025

JSON

Dataease

What is CVE-2025-62419?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.