JDBC URL Injection Vulnerability in DataEase by DataEase Technologies
CVE-2025-62419

8.2HIGH

Key Information:

Vendor: Dataease
Status: Dataease
Vendor: CVE Published:; 17 October 2025

What is CVE-2025-62419?

DataEase, a data visualization and analytics platform, is susceptible to a JDBC URL injection vulnerability in its DB2 and MongoDB data source configuration handlers. In versions prior to 2.10.14, if the extraParams field is left empty, critical parameters such as HOSTNAME, PORT, and DATABASE are concatenated into the JDBC URL without proper sanitization. This oversight allows attackers to inject harmful JDBC strings into the HOSTNAME field, posing a risk of bypassing previous security patches. The vulnerability affects several versions of DataEase and has no known workarounds.

Affected Version(s)

dataease < 2.10.14

References

https://github.com/dataease/dataease/security/advisories/...

x_refsource_CONFIRM

https://github.com/dataease/dataease/commit/bb320e42bf2cf...

x_refsource_MISC

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 17, 2025
Vulnerability Reserved
Oct 13, 2025

CVE-2025-62419 Data

JSON

Dataease

What is CVE-2025-62419?

Affected Version(s)

References

CVSS V4

Timeline