Improper input validation in DataEase - CVE-2025-27103
Published: March 13, 2025 / Updated: April 16, 2026
Vulnerability identifier: #VU126334
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-27103
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: DataEase
Affected software:
DataEase
DataEase
Detailed vulnerability description
The vulnerability allows a remote user to read arbitrary files.
The vulnerability exists due to improper input validation in the Mysql JDBC connection configuration when constructing and using JDBC connection strings with encoded connection parameters. A remote user can supply a specially crafted JDBC URL or extra parameters to read arbitrary files.
The issue can be exploited after logging in through the background JDBC connection, and the advisory states that arbitrary files can also be deserialized.
How to mitigate CVE-2025-27103
Install security update from vendor's website.