CVE-2025-49001
published 2025-06-03CVE-2025-49001: DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.10, secret verification does not take effect successfully…
PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.39%
97.0th percentile
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.10, secret verification does not take effect successfully, so a user can use any secret to forge a JWT token. The vulnerability has been fixed in v2.10.10. No known workarounds are available.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dataease | dataease | < 2.10.10 | 2.10.10 |
| dataease | dataease | <= 2.10.10 | — |
Detection & IOCsextracted from sources · hover to see the quote
cookieX-DE-TOKEN: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1aWQiOjEsIm9pZCI6MSwiZXhwIjo5OTk5OTk5OTk5fQ.tDSRWgqgE9BTy9NDpTE0ZAI2GKxOFPllYz-jOJu635A↗
- →Forged JWT token sent via X-DE-TOKEN header to /de2api/user/info; a successful exploit returns HTTP 400 with response headers containing both 'de-gateway-flag' and 'hmacsha256', and body containing 'getWriter() has already been called' ↗
- →Unauthenticated baseline check: GET /de2api/user/info returns HTTP 401 with body containing 'token is empty', confirming a vulnerable DataEase instance before attempting JWT bypass ↗
- →Shodan/FOFA fingerprint for exposed DataEase instances: search for HTTP title 'DataEase' ↗
- →Response header 'x-de-execute-version' can be extracted to confirm DataEase version on exploited instances ↗
- ·The forged JWT uses HS256 with uid=1 (admin) and a far-future expiry (exp=9999999999). The vulnerability is that DataEase versions prior to 2.10.10 do not properly validate the JWT secret, so ANY secret produces an accepted token. ↗
- ·No known workarounds exist; the only remediation is upgrading to DataEase v2.10.10 or later. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Nuclei
DataEase < 2.10.10 - JWT Authentication Bypass
nuclei·CVSS 7.7
CVE-2025-49001 [HIGH] DataEase < 2.10.10 - JWT Authentication Bypass
DataEase < 2.10.10 - JWT Authentication Bypass
DataEase < 2.10.10 contains a broken authentication caused by ineffective secret verification, letting users forge JWT tokens, exploit requires no special privileges.
Template:
id: CVE-2025-49001
info:
name: DataEase < 2.10.10 - JWT Authentication Bypass
author: YunSeoJo,aryu-ru
severity: critical
description: |
DataEase < 2.10.10 contains a broken authentication caused by ineffective secret verification, letting users forge JWT tokens, exploit requires no special privileges.
impact: |
Users can forge JWT tokens, potentially gaining unauthorized access to the system.
remediation: |
Update to version 2.10.10 or later.
reference:
- https://github.com/dataease/dataease/security/advisories/GHSA-xx2m-gmwg-mf3r
- https://github.com/dataease/data
2025-06-03
Published