CVE-2025-58748

Name of the Vulnerable Software and Affected Versions Dataease versions prior to 2.10.13

Description Dataease is an open source data analytics and visualization platform. The H2 data source implementation (H2.java) lacks validation to ensure that a provided JDBC URL begins with jdbc:h2. This allows a crafted JDBC configuration to substitute the Amazon Redshift driver and utilize the socketFactory and socketFactoryArg parameters to invoke org.springframework.context.support.FileSystemXmlApplicationContext or ClassPathXmlApplicationContext with a remote XML resource controlled by an attacker, potentially leading to remote code execution.

Recommendations Update to Dataease version 2.10.13 or later.