CVE-2025-58045

Name of the Vulnerable Software and Affected Versions Dataease versions up to 2.10.12

Description Dataease is an open source data analytics and visualization platform. A patch intended to mitigate DB2 JDBC deserialization remote code execution attacks only blacklisted the rmi parameter. The ldap parameter in the DB2 JDBC connection string was not filtered, allowing attackers to exploit the DB2 JDBC connection string to trigger server-side request forgery (SSRF). While higher versions of Java disable ldap deserialization by default, preventing remote code execution, SSRF remains exploitable.

Recommendations Update to version 2.10.13 or later.