cbcvebase.
CVE-2025-49001
published 2025-06-03

CVE-2025-49001: DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.10, secret verification does not take effect successfully…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.39%
97.0th percentile
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.10, secret verification does not take effect successfully, so a user can use any secret to forge a JWT token. The vulnerability has been fixed in v2.10.10. No known workarounds are available.

Affected

2 ranges
VendorProductVersion rangeFixed in
dataeasedataease< 2.10.102.10.10
dataeasedataease<= 2.10.10

Detection & IOCsextracted from sources · hover to see the quote

cookieX-DE-TOKEN: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1aWQiOjEsIm9pZCI6MSwiZXhwIjo5OTk5OTk5OTk5fQ.tDSRWgqgE9BTy9NDpTE0ZAI2GKxOFPllYz-jOJu635A
path/de2api/user/info
  • Forged JWT token sent via X-DE-TOKEN header to /de2api/user/info; a successful exploit returns HTTP 400 with response headers containing both 'de-gateway-flag' and 'hmacsha256', and body containing 'getWriter() has already been called'
  • Unauthenticated baseline check: GET /de2api/user/info returns HTTP 401 with body containing 'token is empty', confirming a vulnerable DataEase instance before attempting JWT bypass
  • Shodan/FOFA fingerprint for exposed DataEase instances: search for HTTP title 'DataEase'
  • Response header 'x-de-execute-version' can be extracted to confirm DataEase version on exploited instances
  • ·The forged JWT uses HS256 with uid=1 (admin) and a far-future expiry (exp=9999999999). The vulnerability is that DataEase versions prior to 2.10.10 do not properly validate the JWT secret, so ANY secret produces an accepted token.
  • ·No known workarounds exist; the only remediation is upgrading to DataEase v2.10.10 or later.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.