Amazon · Amazon Redshift · CVE-2025-58748
**Name of the Vulnerable Software and Affected Versions**
Dataease versions prior to 2.10.13
**Description**
Dataease is an open source data analytics and visualization platform. The H2 data source implementation (H2.java) lacks validation to ensure that a provided JDBC URL begins with `jdbc:h2`. This allows a crafted JDBC configuration to substitute the Amazon Redshift driver and utilize the `socketFactory` and `socketFactoryArg` parameters to invoke `org.springframework.context.support.FileSystemXmlApplicationContext` or `ClassPathXmlApplicationContext` with a remote XML resource controlled by an attacker, potentially leading to remote code execution.
**Recommendations**
Update to Dataease version 2.10.13 or later.