CVE-2025-49002— Dataease H2 Database Remote Code Execution (RCE) Bypass Vulnerability

EPSS 22.26% · P96 Updated Jun 04, 2025

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-49002

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Dataease H2 Database Remote Code Execution (RCE) Bypass Vulnerability

Source: NVD (National Vulnerability Database)

Vulnerability Description

DataEase is an open source business intelligence and data visualization tool. Versions prior to version 2.10.10 have a flaw in the patch for CVE-2025-32966 that allow the patch to be bypassed through case insensitivity because INIT and RUNSCRIPT are prohibited. The vulnerability has been fixed in v2.10.10. No known workarounds are available.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

使用欺骗进行的认证绕过

Source: NVD (National Vulnerability Database)

Vulnerability Title

DataEase 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

DataEase是DataEase开源的一个开源的数据可视化分析工具。用于帮助用户快速分析数据并洞察业务趋势，从而实现业务的改进与优化。 DataEase 2.10.10之前版本存在安全漏洞，该漏洞源于INIT和RUNSCRIPT禁止但可通过大小写不敏感绕过补丁。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
dataease	dataease	< 2.10.10	-

II. Public POCs for CVE-2025-49002

#	POC Description	Source Link	Shenlong Link
1	飞致云 DataEase Postgresql JDBC Bypass 远程代码执行漏洞 CVE-2025-49002 漏洞类型 RCE	https://github.com/Feng-Huang-0520/DataEase_Postgresql_JDBC_Bypass-CVE-2025-49002	POC Details
2	None	https://github.com/jiuzui129-arch/CVE-2025-49002	POC Details
3	DataEase is an open-source business intelligence and data visualization platform. Public advisories state that CVE-2025-49002 is related to a bypass in the previous fix for CVE-2025-32966 involving case-insensitive handling of restricted H2 JDBC keywords. This template is a non-invasive detection template intended only to identify exposed DataEase instances and extract possible version hints for manual verification. It does not attempt authentication bypass, JDBC exploitation, or command execution.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-49002.yaml	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2025-49002

请登录查看更多情报信息。

Same Patch Batch · dataease · 2025-06-03 · 4 CVEs total

CVE-2025-48998		Dataease MYSQL JDBC File Reading Vulnerability
CVE-2025-48999		Dataease Redshift Data Source JDBC Connection Parameters Not Verified Leads to RCE Vulnera
CVE-2025-49001		Dataease Authentication Bypass Vulnerability

IV. Related Vulnerabilities

Same product: dataease

Same vendor: dataease

Same weakness: CWE-290

V. Comments for CVE-2025-49002

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2025-49002— Dataease H2 Database Remote Code Execution (RCE) Bypass Vulnerability

I. Basic Information for CVE-2025-49002

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2025-49002

III. Intelligence Information for CVE-2025-49002

Same Patch Batch · dataease · 2025-06-03 · 4 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2025-49002

Leave a comment