CVE-2025-49001

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-49001

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49001.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-49001

Aliases

GHSA-xx2m-gmwg-mf3r

Published

2025-06-03T20:33:48.477Z

Modified

2026-04-10T05:28:53.442222Z

Severity

7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

Dataease Authentication Bypass Vulnerability

Details

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.10, secret verification does not take effect successfully, so a user can use any secret to forge a JWT token. The vulnerability has been fixed in v2.10.10. No known workarounds are available.

Database specific

{
    "cwe_ids": [
        "CWE-287"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49001.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/dataease/dataease

Affected ranges

Type: GIT
Repo: https://github.com/dataease/dataease
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

3b8f018abb6d3846a7ebb694bbe5cbf35a932104

Affected versions

v1.*

v1.0.0

v2.*

v2.10.0

v2.10.1

v2.10.2

v2.10.3

v2.10.4

v2.10.5

v2.10.6

v2.10.7

v2.10.8

v2.10.9

v2.2.0

v2.3.0

v2.6.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49001.json"