CVE-2025-58046

Name of the Vulnerable Software and Affected Versions Dataease versions prior to 2.10.13 Dataease versions 2.10.12 and earlier

Description Dataease is a data visualization and analysis platform. Versions up to and including 2.10.12 are susceptible to remote code execution through the Impala data source. Insufficient filtering in the getJdbc method of the io.dataease.datasource.type.Impala class allows attackers to construct malicious JDBC connection strings. This exploits JNDI injection and triggers RMI deserialization, potentially leading to remote command execution. The vulnerability is exploitable by modifying the data source and providing a crafted JDBC connection string referencing a remote configuration file, resulting in RMI-based deserialization attacks.

Recommendations Upgrade to Dataease version 2.10.13 or later.