Datart authenticated RCE (CVE-2025-70830)

Exploitation confirmed - public proof-of-concept - CVE-2025-70830 is a critical server-side template injection (SSTI) flaw in Datart that lets any authenticated attacker execute arbitrary commands on the underlying OS, leading to full server compromise. Upgrade to the patched release without delay.

Overview

A critical security vulnerability has been identified in Datart, an open-source data visualization platform. This flaw allows an authenticated attacker to execute arbitrary code on the server hosting the application, potentially leading to a complete system compromise.

Vulnerability Explanation

In simple terms, the application uses a template engine (Freemarker) to dynamically generate content. A specific input field, intended for SQL scripts, does not properly validate or sanitize user input. An attacker with a valid user account can inject malicious template code into this field. The server then processes this code as part of the template, mistakenly executing the attacker’s commands instead of treating them as plain data. This type of attack is known as Server-Side Template Injection (SSTI).

Potential Impact

The impact of this vulnerability is severe. A successful exploit could allow an attacker to:

• Execute any command or code on the underlying server operating system.
• Steal, modify, or delete sensitive data from the server or connected databases.
• Install malware or create a persistent backdoor for ongoing access.
• Use the compromised server as a launch point for attacks on other internal systems.

Given that exploitation requires only a standard authenticated account, the risk to affected deployments is very high.

Remediation and Mitigation

The most effective action is to apply the official patch immediately.

1. Primary Remediation: Upgrade Datart to a patched version as soon as it is released by the vendor. Monitor the official Datart GitHub repository or security advisories for the fixed version addressing CVE-2025-70830.

2. Immediate Mitigation (If Patching is Delayed):

   • Restrict Access: Tighten network controls to limit access to the Datart application to only trusted users and IP addresses.
   • Review Permissions: Audit user accounts and enforce the principle of least privilege. Ensure no unnecessary accounts have write or execute permissions, especially for the SQL script functionality.
   • Monitor Logs: Closely monitor application and system logs for any unusual activity, particularly unexpected processes or file modifications originating from the Datart service account.

Note: Input validation at the application level is not a sufficient mitigation for this specific flaw once it is present. Patching the core vulnerability is the only complete solution.