CVE-2025-64428

CriticalPublic PoC

Published: 20 November 2025

Published

20 November 2025

Modified

24 November 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0019 40.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Dataease is an open source data visualization analysis tool. Versions prior to 2.10.17 are vulnerable to JNDI injection. A blacklist was added in the patch for version 2.10.14. However, JNDI injection remains possible via the iiop, corbaname, and iiopname schemes.…

The vulnerability has been fixed in version 2.10.17.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the JNDI injection vulnerability by requiring timely identification, reporting, and patching to Dataease version 2.10.17 or later.

SI-10 Information Input Validation good match

prevent

Prevents exploitation of the JNDI injection by validating all user inputs to block malicious schemes such as iiop, corbaname, and iiopname.

SC-7 Boundary Protection partial match

prevent

Enforces boundary protection using web application firewalls or proxies to inspect and block network traffic containing JNDI injection payloads.

Security SummaryAI

CVE-2025-64428 is a JNDI injection vulnerability affecting Dataease, an open source data visualization analysis tool. Versions prior to 2.10.17 are vulnerable, including those after a partial patch in version 2.10.14 that introduced a blacklist. However, the blacklist does not prevent JNDI injection via the iiop, corbaname, and iiopname schemes. The issue, classified under CWE-74, has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-11-20.

An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, potentially enabling remote code execution through malicious JNDI lookups.

The GitHub security advisory (GHSA-88ph-3236-2m2h) and related commit confirm the vulnerability was fully fixed in Dataease version 2.10.17. Security practitioners should upgrade to this version or later, as the earlier 2.10.14 blacklist patch is insufficient against the specified schemes. Release notes for v2.10.17 are available on the project's GitHub repository.

Details

CWE(s): CWE-74

Affected Products

dataease

≤ 2.10.17

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2025-64428 is a JNDI injection vulnerability in the public-facing Dataease application, enabling unauthenticated remote code execution, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/dataease/dataease/commit/b7e585c1cc3fc2b73cb289b8680b4b3914be3d53
Patch · security-advisories@github.com
https://github.com/dataease/dataease/releases/tag/v2.10.17
Release Notes · security-advisories@github.com
https://github.com/dataease/dataease/security/advisories/GHSA-88ph-3236-2m2h
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/dataease/dataease/security/advisories/GHSA-88ph-3236-2m2h
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0