CVE-2025-70830

CVSS v3.1

9.9

Critical

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Datart version 1.0.0-rc.3

Description A Server-Side Template Injection (SSTI) flaw exists in the Freemarker template engine of Datart. Authenticated attackers can execute arbitrary code by injecting crafted Freemarker template syntax into the SQL script field. The affected API endpoint is not specified. The vulnerable parameter is the SQL script field, using Freemarker template syntax. The vulnerable function is not specified.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize all user-supplied input to the SQL script field to prevent the injection of malicious Freemarker syntax.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2025-70830

Affected Products

Datart

Freemarker

CVE-2025-70830

Weakness Enumeration

Related Identifiers

Affected Products

References · 9