CVE-2025-64163 HIGH

CVE-2025-64163: DataEase's DB2 is vulnerable to SSRF

Vendor Dataease

Product dataease

Weakness CWE-918 · SSRF

Published November 5, 2025

Last update November 6, 2025

View on NVD All CVEs

CVSS base score

8.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

DataEase is an open source data visualization analysis tool. In versions 2.10.14 and below, the vendor added a blacklist to filter ldap:// and ldaps://. However, omission of protection for the dns:// protocol results in an SSRF vulnerability. This issue is fixed in version 2.10.15.

Key dates

02Disclosure timeline

November 5, 2025 CVE published

November 6, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-64163

Related vulnerabilities

04Related CVE

CVE-2026-10771 crmeb crmeb_java base64 Qrcode Endpoint RestTemplateUtil.java RestTemplate.getForEntity server-side request forgery CVE-2026-42194 Incomplete fix for CVE-2026-32812: SSRF in admidio CVE-2026-45347 Open WebUI: Blind server side request forgery (SSRF) via the PDF generate function CVE-2026-4874 Org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: keycloak: server-side request forgery via oidc token endpoint manipulation CVE-2020-14327