CVE-2025-62420HIGH 8.8EPSS p55.4%

CVE-2025-62420CVE-2025-62420

Description

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC driver bypass vulnerability exists in the H2 database connection handler. The getJdbc function in H2.java checks if the jdbcUrl starts with jdbc:h2 but returns a separate jdbc field as the actual connection URL. An attacker can provide a jdbcUrl that starts with jdbc:h2 while supplying a different jdbc field with an arbitrary JDBC driver and connection string. This allows an authenticated attacker to trigger arbitrary JDBC connections with malicious drivers, potentially leading to remote code execution. The vulnerability is fixed in version 2.10.14. No known workarounds exist.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.92% probability of exploitation · percentile 55.4% · 2026-06-18T12:00:27Z
Published2025-10-17
Last modified2025-10-24

Underlying weaknesses· 1

CWE-502

References

  1. https://github.com/dataease/dataease/commit/bb320e42bf2cf862b9c4b438c1517547b53ed67b
  2. https://github.com/dataease/dataease/security/advisories/GHSA-7wcv-j6gc-qc7q

1

TypeTargetConfidenceTier
WeaknessDeserialization of Untrusted Datacwe-5020%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-57772
CVE
CVE-2025-48999
CVE
CVE-2025-46566
CVE
CVE-2025-32966
CVE
CVE-2025-53004
CVE
CVE-2025-53005
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.