CVE-2025-49001

Source
https://cve.org/CVERecord?id=CVE-2025-49001
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49001.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-49001
Aliases
  • GHSA-xx2m-gmwg-mf3r
Published
2025-06-03T20:33:48.477Z
Modified
2026-07-08T07:01:28.127727638Z
Severity
  • 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Dataease Authentication Bypass Vulnerability
Details

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.10, secret verification does not take effect successfully, so a user can use any secret to forge a JWT token. The vulnerability has been fixed in v2.10.10. No known workarounds are available.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49001.json",
    "cwe_ids": [
        "CWE-287"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/dataease/dataease

Affected ranges

Type
GIT
Repo
https://github.com/dataease/dataease
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.10.10"
        },
        {
            "last_affected": "2.10.10"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v2.*
v2.10.0
v2.10.1
v2.10.2
v2.10.3
v2.10.4
v2.10.5
v2.10.6
v2.10.7
v2.10.8
v2.10.9
v2.2.0
v2.3.0
v2.6.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49001.json"