← back
CVE-2025-64428

DataEase DB2 JNDI Vulnerability

CVSS 8.9 HIGHEPSS 0.5%CWE-74
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.9EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
20 Nov 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Dataease is an open source data visualization analysis tool. Versions prior to 2.10.17 are vulnerable to JNDI injection. A blacklist was added in the patch for version 2.10.14. However, JNDI injection remains possible via the iiop, corbaname, and iiopname schemes. The vulnerability has been fixed in version 2.10.17.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Affected products
dataease · dataease

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/dataease/dataease/commit/b7e585c1cc3fc2b73cb289b8680b4b3914be3d53https://github.com/dataease/dataease/releases/tag/v2.10.17https://github.com/dataease/dataease/security/advisories/GHSA-88ph-3236-2m2h