CVE-2025-64163 Overview
DataEase, an open source data visualization analysis tool, contains a Server-Side Request Forgery (SSRF) vulnerability in versions 2.10.14 and below. While the vendor implemented a blacklist to filter ldap:// and ldaps:// protocols, the omission of protection for the dns:// protocol allows attackers to exploit this SSRF vulnerability. This security gap enables network-based attacks that can compromise the confidentiality and integrity of affected systems.
Critical Impact
Unauthenticated attackers can exploit the incomplete protocol blacklist to perform SSRF attacks via the unprotected dns:// protocol, potentially leading to internal network reconnaissance, data exfiltration, and further exploitation of internal services.
Affected Products
- DataEase versions 2.10.14 and below
- DataEase data visualization analysis tool (all installations prior to v2.10.15)
Discovery Timeline
- 2025-11-06 - CVE-2025-64163 published to NVD
- 2025-11-07 - Last updated in NVD database
Technical Details for CVE-2025-64163
Vulnerability Analysis
This vulnerability stems from an incomplete blacklist implementation in DataEase's JDBC connection handling. The application attempted to prevent SSRF attacks by blocking ldap:// and ldaps:// protocols, which are commonly exploited for JNDI injection attacks. However, the blacklist implementation failed to account for the dns:// protocol, creating a bypass opportunity.
The SSRF vulnerability allows attackers to manipulate server-side requests to access internal resources that should not be externally accessible. In the context of JDBC connections, this can be particularly dangerous as it may allow attackers to probe internal network infrastructure, perform DNS-based data exfiltration, or chain with other vulnerabilities for more severe attacks.
Root Cause
The root cause is an incomplete input validation blacklist for dangerous protocols in the JDBC datasource configuration. The security control was designed to prevent protocol-based attacks but failed to comprehensively enumerate all dangerous protocols. The dns://, file://, and ftp:// protocols were not included in the original blacklist, allowing attackers to bypass the security measure.
Attack Vector
The vulnerability is exploitable over the network without authentication or user interaction. An attacker can craft malicious JDBC connection strings containing the dns:// protocol to trigger outbound requests from the server. This network-based attack vector makes it particularly dangerous in environments where DataEase instances are exposed to untrusted networks.
The attack flow involves:
- Attacker identifies a DataEase instance running version 2.10.14 or below
- Attacker crafts a malicious datasource configuration containing dns:// protocol references
- The server processes the request and makes outbound DNS queries to attacker-controlled infrastructure
- Attacker can leverage this for internal network mapping or data exfiltration via DNS tunneling
// Security patch showing the fix in Db2.java datasource handler
// Source: https://github.com/dataease/dataease/commit/869b7fb8b10069ac6c326554bfa8f060a539ba85
// 新增:LDAP协议及相关危险参数
"ldap://", "ldaps://", "java.naming.factory.object", "java.naming.factory.state",
// 其他JDBC危险参数
- "autoDeserialize", "connectionProperties", "initSQL"
+ "autoDeserialize", "connectionProperties", "initSQL", "dns", "file", "ftp"
);
public String getJdbc() {
The patch extends the blacklist to include dns, file, and ftp protocols, addressing the bypass vector.
Detection Methods for CVE-2025-64163
Indicators of Compromise
- Unusual outbound DNS queries from DataEase servers to external or suspicious domains
- JDBC connection attempts containing dns://, file://, or ftp:// protocol strings in datasource configurations
- Unexpected network connections from the DataEase application to internal resources
- Log entries showing datasource creation or modification with protocol-based URL patterns
Detection Strategies
- Monitor DataEase application logs for datasource configuration changes containing suspicious protocol handlers
- Implement network-level monitoring for outbound DNS queries from DataEase server infrastructure
- Deploy web application firewall (WAF) rules to detect and block SSRF attack patterns in API requests
- Audit datasource configurations for any entries containing dns://, file://, or ftp:// strings
Monitoring Recommendations
- Enable verbose logging on DataEase instances to capture datasource configuration activities
- Configure DNS query logging on internal DNS servers to identify anomalous resolution requests from DataEase hosts
- Set up alerts for outbound connections from DataEase servers to non-whitelisted destinations
- Implement egress filtering to restrict outbound protocols from application servers
How to Mitigate CVE-2025-64163
Immediate Actions Required
- Upgrade DataEase to version 2.10.15 or later immediately
- Audit existing datasource configurations for any suspicious protocol handlers
- Implement network segmentation to limit the impact of potential SSRF exploitation
- Review and restrict outbound network access from DataEase server instances
Patch Information
DataEase has released version 2.10.15 which addresses this vulnerability by extending the protocol blacklist to include dns, file, and ftp protocols. The fix is available in the GitHub Release v2.10.15. Additional details about the vulnerability and patch can be found in the GitHub Security Advisory GHSA-8397-v66p-539m.
Workarounds
- If immediate patching is not possible, implement network-level controls to block outbound DNS queries from DataEase servers except to trusted DNS resolvers
- Configure web application firewall rules to block requests containing dns://, file://, or ftp:// in datasource parameters
- Restrict DataEase datasource configuration permissions to trusted administrators only
- Implement egress filtering at the network perimeter to prevent SSRF exploitation
# Example: Block suspicious outbound protocols using iptables
# Restrict outbound connections from DataEase server (adjust IP/interface as needed)
# Block direct outbound DNS to non-corporate resolvers
iptables -A OUTPUT -p udp --dport 53 -d ! 10.0.0.53 -j DROP
iptables -A OUTPUT -p tcp --dport 53 -d ! 10.0.0.53 -j DROP
# Block outbound FTP connections from application server
iptables -A OUTPUT -p tcp --dport 21 -j DROP
iptables -A OUTPUT -p tcp --dport 20 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
