CVE-2025-62420 HIGH

CVE-2025-62420: DataEase vulnerable to remote code execution via H2 JDBC driver bypass

Vendor Dataease
Product dataease
Weakness CWE-502 · Unsafe deserialization
Published October 17, 2025
Last update October 17, 2025
View on NVD All CVEs

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC driver bypass vulnerability exists in the H2 database connection handler. The getJdbc function in H2.java checks if the jdbcUrl starts with jdbc:h2 but returns a separate jdbc field as the actual connection URL. An attacker can provide a jdbcUrl that starts with jdbc:h2 while supplying a different jdbc field with an arbitrary JDBC driver and connection string. This allows an authenticated attacker to trigger arbitrary JDBC connections with malicious drivers, potentially leading to remote code execution. The vulnerability is fixed in version 2.10.14. No known workarounds exist.

Key dates

02Disclosure timeline

October 17, 2025 CVE published
October 17, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-52413 WordPress Airin Blog theme <= 1.6.1 - PHP Object Injection vulnerability CVE-2025-47582 WordPress WPBot Pro Wordpress Chatbot <= 12.7.0 - PHP Object Injection Vulnerability CVE-2025-69370 WordPress Capella theme <= 2.5.5 - PHP Object Injection vulnerability CVE-2025-60221 WordPress Captivate Sync Plugin <= 3.0.3 - PHP Object Injection Vulnerability CVE-2024-49626 WordPress Shipyaari Shipping Management plugin <= 1.2 - PHP Object Injection vulnerability