CVE-2025-49003 HIGH

CVE-2025-49003: Dataease H2 JDBC Connection Remote Code Execution

Vendor Dataease
Product dataease
Weakness CWE-153
Published June 26, 2025
Last update June 26, 2025

CVSS base score

8.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, a threat actor may take advantage of a feature in Java in which the character "ı" becomes "I" when converted to uppercase, and the character "ſ" becomes "S" when converted to uppercase. A threat actor who uses a carefully crafted message that exploits this character conversion can cause remote code execution. The vulnerability has been fixed in v2.10.11. No known workarounds are available.

Key dates

02Disclosure timeline

June 26, 2025 CVE published
June 26, 2025 Record updated