CVE-2025-64428
CRITICALDataease < 2.10.17 - JNDI Injection via iiop, corbaname, and iiopname Schemes
Title source: llmDescription
Dataease is an open source data visualization analysis tool. Versions prior to 2.10.17 are vulnerable to JNDI injection. A blacklist was added in the patch for version 2.10.14. However, JNDI injection remains possible via the iiop, corbaname, and iiopname schemes. The vulnerability has been fixed in version 2.10.17.
References (3)
Core 3
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/dataease/dataease/security/advisories/GHSA-88ph-3236-2m2h
Patch x_refsource_misc
https://github.com/dataease/dataease/commit/b7e585c1cc3fc2b73cb289b8680b4b3914be3d53
Release Notes x_refsource_misc
https://github.com/dataease/dataease/releases/tag/v2.10.17
Scores
CVSS v3
9.8
EPSS
0.0050
EPSS Percentile
38.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-74
Status
published
Products (1)
dataease/dataease
< 2.10.17
Published
Nov 20, 2025
Tracked Since
Feb 18, 2026