VYPR
Unrated severityNVD Advisory· Published Oct 17, 2025· Updated Oct 17, 2025

DataEase vulnerable to remote code execution via H2 JDBC driver bypass

CVE-2025-62420

Description

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC driver bypass vulnerability exists in the H2 database connection handler. The getJdbc function in H2.java checks if the jdbcUrl starts with jdbc:h2 but returns a separate jdbc field as the actual connection URL. An attacker can provide a jdbcUrl that starts with jdbc:h2 while supplying a different jdbc field with an arbitrary JDBC driver and connection string. This allows an authenticated attacker to trigger arbitrary JDBC connections with malicious drivers, potentially leading to remote code execution. The vulnerability is fixed in version 2.10.14. No known workarounds exist.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Dataease/Dataeasellm-fuzzy2 versions
    <=2.10.13+ 1 more
    • (no CPE)range: <=2.10.13
    • (no CPE)range: < 2.10.14

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.