CVE-2025-58045CRITICAL 9.8EPSS p46.1%

CVE-2025-58045CVE-2025-58045

Description

Dataease is an open source data analytics and visualization platform. In Dataease versions up to 2.10.12, the patch introduced to mitigate DB2 JDBC deserialization remote code execution attacks only blacklisted the rmi parameter. The ldap parameter in the DB2 JDBC connection string was not filtered, allowing attackers to exploit the DB2 JDBC connection string to trigger server-side request forgery (SSRF). In higher versions of Java, ldap deserialization (autoDeserialize) is disabled by default, preventing remote code execution, but SSRF remains exploitable. Versions up to 2.10.12 are affected. The issue is fixed in version 2.10.13. Updating to 2.10.13 or later is recommended. No known workarounds are documented aside from upgrading.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.65% probability of exploitation · percentile 46.1% · 2026-06-18T12:00:27Z
Published2025-09-15
Last modified2025-09-19

Underlying weaknesses· 1

CWE-918

References

  1. https://github.com/dataease/dataease/commit/77078658715bd85af5867afbfd5f1fcc37cf03c8
  2. https://github.com/dataease/dataease/security/advisories/GHSA-fmq3-6xhc-r845
  3. https://github.com/dataease/dataease/security/advisories/GHSA-fmq3-6xhc-r845

1

TypeTargetConfidenceTier
WeaknessServer-Side Request Forgery (SSRF)cwe-9180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-58046
CVE
CVE-2025-58748
CVE
CVE-2025-64163
CVE
CVE-2025-53005
CVE
CVE-2025-53004
CVE
CVE-2025-64164
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.