CVE-2025-53006

moderate-risk

Published 2025-07-02

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, in both PostgreSQL and Redshift, apart from parameters like "socketfactory" and "socketfactoryarg", there are also "sslfactory" and "sslfactoryarg" with similar functionality. The difference lies in that "sslfactory" and related parameters need to be triggered after establishing the connection. Other similar parameters include "sslhostnameverifier", "sslpasswordcallback", and "authenticationPluginClassName". This issue has been patched in 2.10.11.

Do I need to act?

0.12% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Dataease

Affected Vendors

Dataease

References (1)

Exploit https://github.com/dataease/dataease/security/advisories/GHSA-q726-5pr9-x7gm

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal