CVE-2025-64164 HIGH

CVE-2025-64164: DataEase is vulnerable to Oracle JNDI Injection

Vendor Dataease

Product dataease

Weakness CWE-502 · Unsafe deserialization

Published November 6, 2025

Last update November 6, 2025

View on NVD All CVEs

CVSS base score

8.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

Dataease is an open source data visualization analysis tool. In versions 2.10.14 and below, DataEase did not properly filter when establishing JDBC connections to Oracle, resulting in a risk of JNDI injection (Java Naming and Directory Interface injection). This issue is fixed in version 2.10.15.

Key dates

02Disclosure timeline

November 6, 2025 CVE published

November 6, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-64164

Related vulnerabilities

04Related CVE

CVE-2024-47636 WordPress WP JobSearch plugin <= 2.5.9 - PHP Object Injection vulnerability CVE-2025-39550 WordPress FluentCommunity plugin <= 1.2.15 - PHP Object Injection Vulnerability CVE-2021-41110 CWL Viewer: deserialization of untrusted data can lead to complete takeover by an attacker CVE-2025-48389 FreeScout Vulnerable to Deserialization of Untrusted Data CVE-2024-22369 Apache Camel: Camel-SQL: Unsafe Deserialization from JDBCAggregationRepository