CVE-2025-49001

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.10, secret verification does not take effect successfully, so a user can use any secret to forge a JWT token. The vulnerability has been fixed in v2.10.10. No known workarounds are available.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/dataease/dataease/security/advisories/GHSA-xx2m-gmwg-mf3r	Broken Link
https://github.com/dataease/dataease/security/advisories/GHSA-xx2m-gmwg-mf3r	Broken Link

Configurations

Configuration 1 (hide)

cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*

History

05 Jun 2025, 14:07

Type	Values Removed	Values Added
CPE		cpe:2.3:a:dataease:dataease::::::::
References	~~() https://github.com/dataease/dataease/security/advisories/GHSA-xx2m-gmwg-mf3r -~~	() https://github.com/dataease/dataease/security/advisories/GHSA-xx2m-gmwg-mf3r - Broken Link
CWE		NVD-CWE-noinfo
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Dataease dataease Dataease

04 Jun 2025, 14:15

Type	Values Removed	Values Added
Summary		(es) DataEase es una herramienta de código abierto de inteligencia empresarial y visualización de datos. Antes de la versión 2.10.10, la verificación de secretos no se realizaba correctamente, por lo que un usuario podía usar cualquier secreto para falsificar un token JWT. La vulnerabilidad se ha corregido en la versión 2.10.10. No se conocen workarounds.
References	~~() https://github.com/dataease/dataease/security/advisories/GHSA-xx2m-gmwg-mf3r -~~	() https://github.com/dataease/dataease/security/advisories/GHSA-xx2m-gmwg-mf3r -

03 Jun 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-03 21:15

Updated : 2025-06-05 14:07

NVD link : CVE-2025-49001

Mitre link : CVE-2025-49001

CVE.ORG link : CVE-2025-49001

JSON object : View

Products Affected

dataease

dataease

CWE

CWE-287

Improper Authentication

NVD-CWE-noinfo

{"id": "CVE-2025-49001", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-03T21:15:22.410", "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-xx2m-gmwg-mf3r", "tags": ["Broken Link"], "source": "security-advisories@github.com"}, {"url": "https://github.com/dataease/dataease/security/advisories/GHSA-xx2m-gmwg-mf3r", "tags": ["Broken Link"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.10, secret verification does not take effect successfully, so a user can use any secret to forge a JWT token. The vulnerability has been fixed in v2.10.10. No known workarounds are available."}, {"lang": "es", "value": "DataEase es una herramienta de c\u00f3digo abierto de inteligencia empresarial y visualizaci\u00f3n de datos. Antes de la versi\u00f3n 2.10.10, la verificaci\u00f3n de secretos no se realizaba correctamente, por lo que un usuario pod\u00eda usar cualquier secreto para falsificar un token JWT. La vulnerabilidad se ha corregido en la versi\u00f3n 2.10.10. No se conocen workarounds."}], "lastModified": "2025-06-05T14:07:47.397", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8866D763-0F6B-43AE-AC13-EECA5553ED6B", "versionEndIncluding": "2.10.10"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}