DataEase H2 Database Remote Code Execution Vulnerability Bypass

A remote code execution vulnerability has been identified in DataEase versions prior to 2.10.10. This issue arises from a flaw in the patch for CVE-2025-32966, where case insensitivity allows the bypassing of restrictions on certain commands. The vulnerability is exploited through the H2 database by crafting a JDBC connection string that includes malicious SQL payloads.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary code on the server via the H2 database connection.

Reproduction

To reproduce this vulnerability, first, upload a malicious SQL file (poc.sql) to a server that the DataEase application can access. This file should contain SQL commands that, when executed, will perform an action such as creating a file or establishing a reverse shell connection. Next, send a POST request to the '/de2api/datasource/validate' endpoint with a 'X-DE-TOKEN' header that includes a forged JWT token. The request must also include a 'configuration' parameter that contains a JDBC connection string for the H2 database. This connection string should be crafted to include the 'INIT=RUNSCRIPT FROM' command, pointing to the uploaded SQL file. Once the request is processed, the SQL payload will be executed, leading to remote code execution on the server.

Remediation

Users are advised to upgrade to DataEase version 2.10.10 or later, where this vulnerability has been fixed.