JNDI Injection Vulnerability in DataEase Open Source Data Visualization Tool
CVE-2025-64164

8.9HIGH

Key Information:

Vendor

Dataease

Status
Dataease
Vendor
CVE Published:
6 November 2025

What is CVE-2025-64164?

DataEase, an open source data visualization analysis tool, has a vulnerability in versions prior to 2.10.15 that fails to properly sanitize inputs when establishing JDBC connections with Oracle databases. This flaw opens the door to potential JNDI injection attacks, which could allow unauthorized access and manipulation of sensitive data. To mitigate this risk, users are urged to upgrade their installations to version 2.10.15, which implements necessary security measures to eliminate this vulnerability.

Affected Version(s)

dataease < 2.10.15

References

https://github.com/dataease/dataease/security/advisories/...
x_refsource_CONFIRM
https://github.com/dataease/dataease/commit/7b68eb3dfccbb...
x_refsource_MISC
https://github.com/dataease/dataease/releases/tag/v2.10.15
x_refsource_MISC

CVSS V4

Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.