CVE-2025-15598

Name of the Vulnerable Software and Affected Versions Dataease SQLBot versions up to 1.5.1

Description A flaw exists in Dataease SQLBot that relates to improper cryptographic signature verification. The issue is located within the validateEmbedded function in the backend/apps/system/middleware/auth.py file, part of the JWT Token Handler component. This allows for manipulation, potentially leading to unauthorized access. The exploit has been publicly disclosed. The complexity of the attack is considered high, and exploitability is difficult. A warning exists in the source code regarding the use of this feature.

Recommendations Versions prior to 1.5.1 should be updated. As a temporary workaround, consider disabling the validateEmbedded() function until a patch is available.