CVE-2025-64428 | THREATINT

Description

Dataease is an open source data visualization analysis tool. Versions prior to 2.10.17 are vulnerable to JNDI injection. A blacklist was added in the patch for version 2.10.14. However, JNDI injection remains possible via the iiop, corbaname, and iiopname schemes. The vulnerability has been fixed in version 2.10.17.

PUBLISHED Reserved 2025-11-03 | Published 2025-11-20 | Updated 2025-11-21 | Assigner GitHub_M

HIGH: 8.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Problem types

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Product status

< 2.10.17

affected

References

github.com/...taease/security/advisories/GHSA-88ph-3236-2m2h exploit

github.com/...taease/security/advisories/GHSA-88ph-3236-2m2h

github.com/...ommit/b7e585c1cc3fc2b73cb289b8680b4b3914be3d53

github.com/dataease/dataease/releases/tag/v2.10.17

cve.org (CVE-2025-64428)

nvd.nist.gov (CVE-2025-64428)

Download JSON