CVE-2025-11159 Overview
CVE-2025-11159 affects Hitachi Vantara Pentaho Data Integration & Analytics across all versions prior to the fixed releases. The product bundles a Java Database Connectivity (JDBC) driver for H2 databases that permits external script execution when a data source administrator creates a new connection. An authenticated administrator can supply a crafted JDBC connection string that triggers execution of attacker-controlled SQL scripts during connection initialization. The flaw aligns with [CWE-94] code injection patterns through abuse of H2's INIT parameter.
Critical Impact
An authenticated administrator can achieve arbitrary code execution on the Pentaho server, leading to full compromise of confidentiality, integrity, and availability with scope change to adjacent components.
Affected Products
- Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7
- Hitachi Vantara Pentaho Data Integration & Analytics versions before 11.0.0.0
- Bundled H2 database JDBC driver dependency
Discovery Timeline
- 2026-05-13 - CVE-2025-11159 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2025-11159
Vulnerability Analysis
The vulnerability resides in the H2 JDBC driver shipped with Pentaho Data Integration & Analytics. The H2 driver supports parameters in the JDBC URL that can reference external SQL scripts at connection time. When a data source administrator establishes a new connection through the Pentaho interface, the supplied connection string is passed to the H2 driver without restricting these dangerous parameters. An attacker with administrator privileges can craft a JDBC URL that loads and runs SQL scripts, including H2 CREATE ALIAS statements that compile and execute arbitrary Java code on the host. The CVSS scope change reflects that code executes outside the database engine's intended boundary, affecting the underlying Pentaho server process and adjacent systems it can reach.
Root Cause
The root cause is unrestricted use of H2 JDBC URL parameters such as INIT and RUNSCRIPT, combined with the absence of an allow-list or sanitization layer on administrator-supplied connection strings. The H2 driver evaluates these parameters during DriverManager.getConnection(), executing referenced scripts inside the Pentaho JVM. The product treats administrator input as trusted and passes it directly to the driver.
Attack Vector
The attack requires network access to the Pentaho administration interface and valid high-privilege credentials. An attacker who controls or compromises a data source administrator account creates a new H2 connection with a malicious URL referencing a remote or local SQL script. When Pentaho tests or saves the connection, the H2 driver executes the script in the server context. The script can register Java aliases that invoke Runtime.exec or similar APIs, achieving remote code execution. The H2 JDBC URL accepts parameters that reference SQL initialization scripts from remote sources. The Pentaho data source creation workflow passes these parameters directly to the driver. The driver compiles and runs any Java code defined through CREATE ALIAS during script execution, yielding command execution on the host. See the Pentaho Security Advisory for vendor technical details.
Detection Methods for CVE-2025-11159
Indicators of Compromise
- New or modified Pentaho data source entries containing H2 JDBC URLs with INIT=, RUNSCRIPT, or SCRIPT parameters
- Pentaho server process (java) spawning unexpected child processes such as sh, bash, cmd.exe, or powershell.exe
- Outbound HTTP or SMB requests from the Pentaho host fetching .sql files from untrusted destinations
- Unexpected files written to the Pentaho working directory by the JVM after a connection test event
Detection Strategies
- Audit Pentaho repository and configuration stores for stored JDBC connection strings referencing H2 with script-loading parameters
- Enable JDBC driver logging or JVM agent instrumentation to capture DriverManager.getConnection arguments containing INIT or RUNSCRIPT
- Correlate Pentaho administrator login events with subsequent data source creation actions and process execution telemetry
Monitoring Recommendations
- Monitor authentication logs for data source administrator account use, particularly outside normal change windows
- Alert on process trees where the Pentaho JVM launches OS shells or networking utilities
- Track network egress from the Pentaho server to non-approved hosts during connection configuration
How to Mitigate CVE-2025-11159
Immediate Actions Required
- Upgrade Pentaho Data Integration & Analytics to version 10.2.0.7 or 11.0.0.0 or later as directed by the vendor advisory
- Review all existing H2 data source definitions and remove any containing INIT, RUNSCRIPT, or SCRIPT parameters
- Rotate credentials for any account with data source administrator privileges and audit recent administrative activity
Patch Information
Hitachi Vantara has released fixed builds. Apply the updates documented in the Pentaho Security Advisory. The fix updates the bundled H2 dependency and restricts unsafe JDBC URL parameters during connection creation.
Workarounds
- Restrict data source administrator role assignment to a minimal set of trusted operators and enforce multi-factor authentication
- Apply egress network controls to block the Pentaho server from reaching arbitrary internet hosts that could serve malicious SQL scripts
- Implement a connection string review process that rejects H2 URLs containing script-loading parameters before they are saved
# Example egress restriction to limit Pentaho server outbound access
iptables -A OUTPUT -m owner --uid-owner pentaho -d <approved-db-subnet> -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner pentaho -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
