<ul><li>Critical Remote Code Execution (RCE) vulnerabilities (CVE-2025-49001/49002) have been discovered in DataEase, an open-source data visualization platform.</li><li>The vulnerabilities allow unauthenticated RCE and authentication bypass, posing a significant risk to internet-facing deployments.</li><li>CVE-2025-48999 enables attackers to inject malicious JDBC parameters, CVE-2025-49002 allows code execution through JDBC parameters, and CVE-2025-49001 permits unauthorized access via JWT tokens.</li><li>Recommended mitigations include using WAF/Firewall, restricting outbound access, and upgrading to DataEase v2.10.10 to fix the vulnerabilities.</li></ul>

Critical RCE Vulnerabilities Found in DataEase (CVE-2025-49001/49002)

Discover more