Description

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC driver bypass vulnerability exists in the H2 database connection handler. The getJdbc function in H2.java checks if the jdbcUrl starts with jdbc:h2 but returns a separate jdbc field as the actual connection URL. An attacker can provide a jdbcUrl that starts with jdbc:h2 while supplying a different jdbc field with an arbitrary JDBC driver and connection string. This allows an authenticated attacker to trigger arbitrary JDBC connections with malicious drivers, potentially leading to remote code execution. The vulnerability is fixed in version 2.10.14. No known workarounds exist.

INFO

Published Date :

2025-10-17T17:11:18.388Z

Last Modified :

2025-10-17T17:34:52.863Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-62420 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-62420.

URL Resource
https://github.com/dataease/dataease/commit/bb320e42bf2cf862b9c4b438c1517547b53ed67b cve-icon cve-icon
https://github.com/dataease/dataease/security/advisories/GHSA-7wcv-j6gc-qc7q cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability