CVE-2025-49002

Dataease H2 Database Remote Code Execution (RCE) Bypass Vulnerability

CVSS 8.2 HIGHEPSS 41.8%CWE-290

In short

DataEase versions before 2.10.10 allow attackers to bypass security protections and execute malicious code on the server by using different letter cases (uppercase/lowercase variations) to hide prohibited commands. This lets attackers take full control of the affected system.

Technical detail

The vulnerability exists in DataEase's H2 database command filtering mechanism, where case-insensitive bypass techniques circumvent the prohibition on INIT and RUNSCRIPT keywords. An attacker can craft requests using case variations (e.g., 'Init', 'RunScript') to achieve remote code execution with high privileges, requiring network access to the DataEase instance but no authentication or user interaction.

Summary generated and translated by AI from the official description.

DataEase is an open source business intelligence and data visualization tool. Versions prior to version 2.10.10 have a flaw in the patch for CVE-2025-32966 that allow the patch to be bypassed through case insensitivity because INIT and RUNSCRIPT are prohibited. The vulnerability has been fixed in v2.10.10. No known workarounds are available.

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Affected products

dataease · dataease

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/dataease/dataease/security/advisories/GHSA-999m-jv2p-5h34 https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-4j78-cvc7