CVE-2025-62420

Name of the Vulnerable Software and Affected Versions DataEase versions through 2.10.13

Description DataEase is a data visualization and analytics platform. A JDBC driver bypass exists in the H2 database connection handler. The getJdbc function in H2.java checks if the jdbcUrl starts with jdbc:h2 but uses a separate jdbc field as the actual connection URL. An attacker can provide a jdbcUrl starting with jdbc:h2 while supplying a different jdbc field with an arbitrary JDBC driver and connection string. This allows an authenticated attacker to trigger arbitrary JDBC connections with malicious drivers, potentially leading to remote code execution.

Recommendations Update to DataEase version 2.10.14 or later.