CVE-2025-49002

DataEase is an open source business intelligence and data visualization tool. Versions prior to version 2.10.10 have a flaw in the patch for CVE-2025-32966 that allow the patch to be bypassed through case insensitivity because INIT and RUNSCRIPT are prohibited. The vulnerability has been fixed in v2.10.10. No known workarounds are available.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/dataease/dataease/security/advisories/GHSA-999m-jv2p-5h34	Exploit Third Party Advisory
https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-4j78-cvc7	Exploit Third Party Advisory
https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-4j78-cvc7	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*

History

05 Jun 2025, 14:07

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-03 21:15

Updated : 2025-06-05 14:07

NVD link : CVE-2025-49002

Mitre link : CVE-2025-49002

CVE.ORG link : CVE-2025-49002

JSON object : View

Products Affected

dataease

dataease

CWE

CWE-290

Authentication Bypass by Spoofing

NVD-CWE-Other

{"id": "CVE-2025-49002", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-03T21:15:22.550", "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-999m-jv2p-5h34", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-4j78-cvc7", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-4j78-cvc7", "tags": ["Exploit", "Third Party Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-290"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "DataEase is an open source business intelligence and data visualization tool. Versions prior to version 2.10.10 have a flaw in the patch for CVE-2025-32966 that allow the patch to be bypassed through case insensitivity because INIT and RUNSCRIPT are prohibited. The vulnerability has been fixed in v2.10.10. No known workarounds are available."}, {"lang": "es", "value": "DataEase es una herramienta de c\u00f3digo abierto para inteligencia empresarial y visualizaci\u00f3n de datos. Las versiones anteriores a la 2.10.10 presentan una vulnerabilidad en el parche para CVE-2025-32966 que permite omitir el parche mediante la insensibilidad a may\u00fasculas y min\u00fasculas, ya que INIT y RUNSCRIPT est\u00e1n prohibidos. Esta vulnerabilidad se ha corregido en la versi\u00f3n 2.10.10. No se conocen workarounds."}], "lastModified": "2025-06-05T14:07:36.847", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "83329E4A-6B6A-4637-A154-9E7C6B0C832D", "versionEndExcluding": "2.10.10"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}