CVE-2025-64164
Published: 06 November 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-64164 is a Java Naming and Directory Interface (JNDI) injection vulnerability in DataEase, an open source data visualization analysis tool. The flaw affects versions 2.10.14 and below, stemming from improper input filtering when establishing JDBC connections to Oracle databases. Published on 2025-11-06, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-502.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By supplying malicious input during the JDBC connection process to Oracle, they can trigger JNDI injection, enabling high-impact compromise of confidentiality, integrity, and availability on the affected DataEase instance.
The vulnerability is fixed in DataEase version 2.10.15. Mitigation involves upgrading to this patched release. Key resources include the fixing commit at https://github.com/dataease/dataease/commit/7b68eb3dfccbbd12ec977e6320dbd3e32a7bbfe6, the v2.10.15 release notes at https://github.com/dataease/dataease/releases/tag/v2.10.15, and the GitHub security advisory at https://github.com/dataease/dataease/security/advisories/GHSA-q754-4pc2-wjqw.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
JNDI injection vulnerability in DataEase JDBC Oracle connection handling enables remote code execution by exploiting the public-facing web application when processing malicious JDBC URLs pointing to attacker-controlled LDAP servers.