CVE-2025-62420
Published: 17 October 2025
Description
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Security Summary
CVE-2025-62420 is a JDBC driver bypass vulnerability in DataEase, an open-source data visualization and analytics platform. The issue affects versions through 2.10.13 and resides in the H2 database connection handler, specifically the getJdbc function in H2.java. This function performs a prefix check on the jdbcUrl to verify it starts with "jdbc:h2" but then returns a separate jdbc field as the actual connection URL, allowing attackers to supply an arbitrary JDBC driver and connection string despite the initial validation.
An authenticated attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting a jdbcUrl that passes the "jdbc:h2" prefix check while specifying a malicious jdbc field, the attacker can trigger arbitrary JDBC connections using custom drivers. This may lead to remote code execution, granting high-impact confidentiality, integrity, and availability effects.
The vulnerability has been fixed in DataEase version 2.10.14. No known workarounds are available. Additional details are provided in the GitHub security advisory at https://github.com/dataease/dataease/security/advisories/GHSA-7wcv-j6gc-qc7q and the patching commit at https://github.com/dataease/dataease/commit/bb320e42bf2cf862b9c4b438c1517547b53ed67b.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables authenticated low-privilege remote exploitation of a public-facing data visualization platform (DataEase) via JDBC driver bypass, leading to RCE, directly facilitating T1190 (Exploit Public-Facing Application), T1068 (Exploitation for Privilege Escalation), and T1210 (Exploitation of Remote Services).