CVE-2025-49003

26.06.2025, 14:15

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, a threat actor may take advantage of a feature in Java in which the character "" becomes "I" when converted to uppercase, and the character "" becomes "S" when converted to uppercase. A threat actor who uses a carefully crafted message that exploits this character conversion can cause remote code execution. The vulnerability has been fixed in v2.10.11. No known workarounds are available.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
GitHub_M	CNA	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 55%

Vendor	Product	Version
dataease	dataease	𝑥 < 2.10.11

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-153 - Improper Neutralization of Substitution Characters
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as substitution characters when they are sent to a downstream component.

References

https://github.com/dataease/dataease/security/advisories/GHSA-x97w-69ff-r55q