CVE-2025-10702: Critical Code Injection Vulnerability in Progress DataDirect JDBC Drivers

Overview

CVE-2025-10702 describes an “Improper Control of Generation of Code (‘Code Injection’)” vulnerability affecting Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver, and Hybrid Data Pipeline. This vulnerability allows for Remote Code Inclusion (RCI) if exploited successfully. The issue stems from an undocumented syntax construct within the `SpyAttribute` connection option.

Technical Details

The `SpyAttribute` connection option in the DataDirect Connect for JDBC drivers, DataDirect Hybrid Data Pipeline JDBC driver, and the DataDirect OpenAccess JDBC driver contains an undocumented syntax that an attacker could potentially leverage. If an application permits an end-user to specify a value for the `SpyAttributes` connection option, a malicious actor can exploit this undocumented syntax to force the driver to load an arbitrary class from the classpath and execute its constructor. This allows for the injection and execution of malicious code on the system.

CVSS Analysis

At the time of publication (2025-11-19T16:15:46.187), a CVSS score is not available (N/A). However, given the potential for Remote Code Inclusion, this vulnerability should be considered high risk and addressed immediately.

Possible Impact

Successful exploitation of CVE-2025-10702 could lead to:

• Remote code execution on the server hosting the vulnerable application.
• Data breaches and unauthorized access to sensitive information.
• System compromise and potential for lateral movement within the network.
• Denial of service due to malicious code disrupting normal operations.

Affected Versions

The following products and versions are affected. It is highly recommended to upgrade to the fixed versions:

• DataDirect Connect for JDBC for Amazon Redshift: through 6.0.0.001392, fixed in 6.0.0.001541
• DataDirect Connect for JDBC for Apache Cassandra: through 6.0.0.000805, fixed in 6.0.0.000833
• DataDirect Connect for JDBC for Hive: through 6.0.1.001499, fixed in 6.0.1.001628
• DataDirect Connect for JDBC for Apache Impala: through 6.0.0.001155, fixed in 6.0.0.001279
• DataDirect Connect for JDBC for Apache SparkSQL: through 6.0.1.001222, fixed in 6.0.1.001344
• DataDirect Connect for JDBC Autonomous REST Connector: through 6.0.1.006961, fixed in 6.0.1.007063
• DataDirect Connect for JDBC for DB2: through 6.0.0.000717, fixed in 6.0.0.000964
• DataDirect Connect for JDBC for Google Analytics 4: through 6.0.0.000454, fixed in 6.0.0.000525
• DataDirect Connect for JDBC for Google BigQuery: through 6.0.0.002279, fixed in 6.0.0.002410
• DataDirect Connect for JDBC for Greenplum: through 6.0.0.001712, fixed in 6.0.0.001727
• DataDirect Connect for JDBC for Informix: through 6.0.0.000690, fixed in 6.0.0.000851
• DataDirect Connect for JDBC for Microsoft Dynamics 365: through 6.0.0.003161, fixed in 6.0.0.003198
• DataDirect Connect for JDBC for Microsoft SQLServer: through 6.0.0.001936, fixed in 6.0.0.001957
• DataDirect Connect for JDBC for Microsoft Sharepoint: through 6.0.0.001559, fixed in 6.0.0.001587
• DataDirect Connect for JDBC for MongoDB: through 6.1.0.001654, fixed in 6.1.0.001669
• DataDirect Connect for JDBC for MySQL: through 5.1.4.000330, fixed in 5.1.4.000364
• DataDirect Connect for JDBC for Oracle Database: through 6.0.0.001747, fixed in 6.0.0.001776
• DataDirect Connect for JDBC for Oracle Eloqua: through 6.0.0.001438, fixed in 6.0.0.001458
• DataDirect Connect for JDBC for Oracle Sales Cloud: through 6.0.0.001225, fixed in 6.0.0.001316
• DataDirect Connect for JDBC for Oracle Service Cloud: through 5.1.4.000298, fixed in 5.1.4.000309
• DataDirect Connect for JDBC for PostgreSQL: through 6.0.0.001843, fixed in 6.0.0.001856
• DataDirect Connect for JDBC for Progress OpenEdge: through 5.1.4.000187, fixed in 5.1.4.000189
• DataDirect Connect for JDBC for Salesforce: through 6.0.0.003020, fixed in 6.0.0.003125
• DataDirect Connect for JDBC for SAP HANA: through 6.0.0.000879, product retired
• DataDirect Connect for JDBC for SAP S/4 HANA: through 6.0.1.001818, fixed in 6.0.1.001858
• DataDirect Connect for JDBC for Sybase ASE: through 5.1.4.000161, fixed in 5.1.4.000162
• DataDirect Connect for JDBC for Snowflake: through 6.0.1.001821, fixed in 6.0.1.001856
• DataDirect Hybrid Data Pipeline Server: through 4.6.2.3309, fixed in 4.6.2.3430
• DataDirect Hybrid Data Pipeline JDBC Driver: through 4.6.2.0607, fixed in 4.6.2.1023
• DataDirect Hybrid Data Pipeline On Premises Connector: through 4.6.2.1223, fixed in 4.6.2.1339
• DataDirect Hybrid Data Pipeline Docker: through 4.6.2.3316, fixed in 4.6.2.3430
• DataDirect OpenAccess JDBC Driver: through 8.1.0.0177, fixed in 8.1.0.0183
• DataDirect OpenAccess JDBC Driver: through 9.0.0.0019, fixed in 9.0.0.0022

Mitigation & Patch Steps

1. Upgrade: Immediately upgrade to the fixed versions of the affected DataDirect Connect for JDBC drivers, DataDirect Hybrid Data Pipeline, and DataDirect OpenAccess JDBC Driver as listed above.
2. Input Validation: If your application allows users to specify connection string parameters, implement strict input validation and sanitization to prevent the injection of malicious code through the `SpyAttributes` option. Consider removing the ability for users to specify this option altogether if it is not essential.
3. Least Privilege: Ensure the application server and database user accounts are configured with the principle of least privilege, limiting the potential impact of a successful exploit.
4. Monitor: Continuously monitor application logs for any suspicious activity related to JDBC connections and class loading.

References

• Progress DataDirect Critical Security Product Alert Bulletin – November 2025 (community.progress.com)