Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-62422

CVE-2025-62422: DataEase SQL Injection Vulnerability

CVE-2025-62422 is a SQL injection flaw in DataEase open source analytics platform affecting versions 2.10.13 and earlier. Attackers can execute arbitrary SQL commands via the tableName parameter. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-62422 Overview

CVE-2025-62422 is a SQL injection vulnerability [CWE-89] in DataEase, an open source data visualization and analytics platform. The flaw resides in the /de2api/datasetData/tableField interface, where the tableName parameter is concatenated into SQL queries without validation. An authenticated attacker can craft a malicious tableName value to execute arbitrary SQL commands against the backing datasource. The issue affects DataEase versions 2.10.13 and earlier and is resolved in version 2.10.14. No workarounds are available, making the patch the only remediation path.

Critical Impact

Authenticated attackers can execute arbitrary SQL against connected datasources, leading to data exfiltration, modification, and potential lateral movement within data infrastructure.

Affected Products

  • DataEase versions 2.10.13 and earlier
  • DataEase open source data visualization platform
  • Deployments exposing the /de2api/datasetData/tableField endpoint

Discovery Timeline

  • 2025-10-17 - CVE-2025-62422 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-62422

Vulnerability Analysis

The vulnerability is a classic SQL injection [CWE-89] in DataEase's dataset table field retrieval flow. The /de2api/datasetData/tableField endpoint accepts a tableName parameter that is interpolated directly into a SQL string sent to the configured datasource provider. Because the value is treated as a trusted identifier rather than validated against known tables, attackers can break out of the identifier context and append arbitrary SQL clauses.

In the Elasticsearch provider path, the backend builds queries such as select * from "<tableName>" limit 0. An attacker can supply a tableName containing quote characters and additional statements, causing the server to execute injected SQL against the connected datasource. Successful exploitation allows reading or modifying any data accessible to the DataEase service account.

Root Cause

The root cause is missing validation of the tableName parameter before it is concatenated into a dynamically constructed SQL string. The provider trusts caller-supplied identifiers instead of checking them against the enumerated list of available tables for the datasource.

Attack Vector

Exploitation occurs over the network against the DataEase HTTP API. The attacker requires low-privilege authenticated access to reach the /de2api/datasetData/tableField endpoint. No user interaction is required. Once reached, a single malicious request is sufficient to execute injected SQL.

java
// Patch from EsProvider.java - validates tableName against known tables
try {
    String sql;
    if (datasourceRequest.getTable() != null) {
        if (!getTables(datasourceRequest).stream().map(DatasetTableDTO::getTableName).collect(Collectors.toList()).contains(datasourceRequest.getTable())) {
            DEException.throwException("无效的表名!");
        }
        sql = "select * from \"" + datasourceRequest.getTable() + "\" limit 0";
    } else {
        sql = datasourceRequest.getQuery();

Source: DataEase commit 3c52cc26. The patch enforces that the supplied table name exists in the datasource's enumerated table list before constructing the SQL string.

Detection Methods for CVE-2025-62422

Indicators of Compromise

  • HTTP requests to /de2api/datasetData/tableField containing SQL metacharacters such as single quotes, semicolons, or UNION SELECT in the tableName parameter.
  • Application logs showing SQL syntax errors or DEException entries referencing invalid table names after the patch is deployed.
  • Datasource query logs containing unusual statements originating from the DataEase service account.

Detection Strategies

  • Inspect web access logs for tableName values that do not match expected dataset identifiers in the deployment.
  • Correlate DataEase application events with downstream database audit logs to identify unexpected queries against sensitive tables.
  • Apply WAF signatures targeting SQL injection patterns on the /de2api/datasetData/ URL prefix.

Monitoring Recommendations

  • Monitor authentication events for low-privilege DataEase accounts that begin issuing high volumes of tableField requests.
  • Alert on outbound data transfers from the DataEase host that exceed baseline volumes following API activity.
  • Track new or modified database users created by the DataEase service account, which can indicate post-exploitation activity.

How to Mitigate CVE-2025-62422

Immediate Actions Required

  • Upgrade DataEase to version 2.10.14 or later, which contains the fix in commit 3c52cc26.
  • Restrict network exposure of the DataEase API to trusted users and networks until patching is complete.
  • Rotate datasource credentials configured in DataEase if exploitation is suspected.
  • Review datasource audit logs for unauthorized queries originating from the DataEase service account.

Patch Information

The vendor fix is published in the DataEase Security Advisory GHSA-54m5-xrw4-mv36 and implemented in commit 3c52cc26. Version 2.10.14 validates the tableName parameter against the datasource's known table list before constructing the SQL query.

Workarounds

  • No vendor-supplied workarounds exist; upgrading to 2.10.14 is required.
  • As a temporary control, place the DataEase API behind a WAF with rules blocking SQL metacharacters in the tableName parameter.
  • Limit DataEase datasource accounts to the minimum privileges required for reporting to reduce blast radius.
bash
# Verify installed DataEase version and upgrade
docker exec dataease cat /opt/dataease2.0/conf/version.txt
docker pull registry.cn-qingdao.aliyuncs.com/dataease/dataease:v2.10.14
docker compose -f /opt/dataease2.0/docker-compose.yml up -d

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.