Main Vulnerability Database Vulnerabilities #VU126344

#VU126344 Improper input validation in DataEase - CVE-2025-62420

Published: April 16, 2026

Vulnerability identifier: #VU126344

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2025-62420

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
DataEase

Software vendor:
DataEase

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation in the getJdbc function in H2.java when handling datasource validation requests. A remote attacker can send a specially crafted request to execute arbitrary code.

The issue arises because the check validates that jdbcUrl starts with "jdbc:h2" while the actual connection URL is taken from the separate jdbc field, allowing use of an arbitrary JDBC driver and connection URL.

Remediation

Install security update from vendor's website.

External links

https://github.com/dataease/dataease/security/advisories/GHSA-7wcv-j6gc-qc7q

#VU126344 Improper input validation in DataEase - CVE-2025-62420

Description

Remediation

External links

Please verify you're human