CVE intelligence and bounded remediation

CVE-2025-62420 — DataEase is a data visualization and analytics platform

High CVSS 8.8

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC driver bypass vulnerability exists in the H2 database connection handler. The getJdbc function in H2.java checks if the jdbcUrl starts with jdbc:h2 but returns a separate jdbc field as the actual connection URL. An attacker can provide a jdbcUrl that starts with jdbc:h2 while supplying a different jdbc field with an arbitrary JDBC driver and connection string. This allows an authenticated attacker to trigger arbitrary JDBC connections with malicious drivers, potentially leading to remote code execution. The vulnerability is fixed in version 2.10.14. No known workarounds exist.

Severity
High
CVSS
8.8 (3.1)
Published
2025-10-17
CISA KEV
Not currently listed
Ecosystem
java/maven
Weaknesses
CWE-502

Affected products

  • dataease / dataease

Matched remediation archetype

Unsafe deserialization and object reconstruction

This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.

Check exposure

  • Inventory serialization formats accepted from requests, queues, caches, files, cookies, and cross-service messages.
  • Trace whether untrusted input can select classes, types, callbacks, constructors, or object hooks during decoding.
  • Identify signing, schema validation, trust-boundary, and compatibility settings for each decoder.

Remediate safely

  • Replace native object deserialization with a data-only format and explicit schema validation.
  • If replacement is not immediate, use a safe decoder with a minimal type allowlist and disable polymorphic or executable hooks.
  • Update the affected library and add inert tests for unknown types, extra fields, malformed nesting, and unsigned data.

Authoritative sources

Complete CVE record and remediation plan

The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.