Overview
A critical vulnerability, identified as CVE-2025-10703, has been discovered in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline. This vulnerability, classified as an Improper Control of Generation of Code (‘Code Injection’) flaw, allows for Remote Code Inclusion (RCI). Specifically, the vulnerability lies in how the SpyAttribute connection option is handled.
Technical Details
The SpyAttribute connection option within the DataDirect JDBC drivers allows users to specify a file path where the JDBC driver will write its log information. An attacker can exploit this by manipulating the log=(file) construct to inject malicious JavaScript code into a log file. If an application permits end-users to control the value of the SpyAttributes connection option and the attacker can place the log file in a web-accessible location with an appropriate extension (e.g., .js), the application server might serve this log file as a resource. When fetched by a user’s browser, the injected JavaScript code would execute, potentially leading to a compromise of the user’s session or other malicious activities.
CVSS Analysis
Currently, there is no CVSS score provided for CVE-2025-10703. However, given the potential for Remote Code Inclusion and the ability to execute arbitrary JavaScript in a user’s browser, the severity is likely to be high. We strongly recommend immediate patching.
Possible Impact
Successful exploitation of CVE-2025-10703 could lead to:
- Remote Code Execution (RCE): The attacker could execute arbitrary JavaScript code within a user’s browser session.
- Cross-Site Scripting (XSS): The injected code could be used to perform XSS attacks, potentially stealing user credentials or performing actions on behalf of the user.
- Data Exfiltration: Sensitive data could be exfiltrated from the user’s browser or the server hosting the application.
- Compromised Database Connections: While not direct, the attacker could leverage compromised user sessions to gain access to database connections and sensitive data.
Affected Versions
The following versions of Progress DataDirect products are affected by this vulnerability:
- DataDirect Connect for JDBC for Amazon Redshift: through 6.0.0.001392, fixed in 6.0.0.001541
- DataDirect Connect for JDBC for Apache Cassandra: through 6.0.0.000805, fixed in 6.0.0.000833
- DataDirect Connect for JDBC for Hive: through 6.0.1.001499, fixed in 6.0.1.001628
- DataDirect Connect for JDBC for Apache Impala: through 6.0.0.001155, fixed in 6.0.0.001279
- DataDirect Connect for JDBC for Apache SparkSQL: through 6.0.1.001222, fixed in 6.0.1.001344
- DataDirect Connect for JDBC Autonomous REST Connector: through 6.0.1.006961, fixed in 6.0.1.007063
- DataDirect Connect for JDBC for DB2: through 6.0.0.000717, fixed in 6.0.0.000964
- DataDirect Connect for JDBC for Google Analytics 4: through 6.0.0.000454, fixed in 6.0.0.000525
- DataDirect Connect for JDBC for Google BigQuery: through 6.0.0.002279, fixed in 6.0.0.002410
- DataDirect Connect for JDBC for Greenplum: through 6.0.0.001712, fixed in 6.0.0.001727
- DataDirect Connect for JDBC for Informix: through 6.0.0.000690, fixed in 6.0.0.0851
- DataDirect Connect for JDBC for Microsoft Dynamics 365: through 6.0.0.003161, fixed in 6.0.0.3198
- DataDirect Connect for JDBC for Microsoft SQLServer: through 6.0.0.001936, fixed in 6.0.0.001957
- DataDirect Connect for JDBC for Microsoft Sharepoint: through 6.0.0.001559, fixed in 6.0.0.001587
- DataDirect Connect for JDBC for MongoDB: through 6.1.0.001654, fixed in 6.1.0.001669
- DataDirect Connect for JDBC for MySQL: through 5.1.4.000330, fixed in 5.1.4.000364
- DataDirect Connect for JDBC for Oracle Database: through 6.0.0.001747, fixed in 6.0.0.001776
- DataDirect Connect for JDBC for Oracle Eloqua: through 6.0.0.001438, fixed in 6.0.0.001458
- DataDirect Connect for JDBC for Oracle Sales Cloud: through 6.0.0.001225, fixed in 6.0.0.001316
- DataDirect Connect for JDBC for Oracle Service Cloud: through 5.1.4.000298, fixed in 5.1.4.000309
- DataDirect Connect for JDBC for PostgreSQL: through 6.0.0.001843, fixed in 6.0.0.001856
- DataDirect Connect for JDBC for Progress OpenEdge: through 5.1.4.000187, fixed in 5.1.4.000189
- DataDirect Connect for JDBC for Salesforce: through 6.0.0.003020, fixed in 6.0.0.003125
- DataDirect Connect for JDBC for SAP HANA: through 6.0.0.000879, product retired
- DataDirect Connect for JDBC for SAP S/4 HANA: through 6.0.1.001818, fixed in 6.0.1.001858
- DataDirect Connect for JDBC for Sybase ASE: through 5.1.4.000161, fixed in 5.1.4.000162
- DataDirect Connect for JDBC for Snowflake: through 6.0.1.001821, fixed in 6.0.1.001856
- DataDirect Hybrid Data Pipeline Server: through 4.6.2.3309, fixed in 4.6.2.3430
- DataDirect Hybrid Data Pipeline JDBC Driver: through 4.6.2.0607, fixed in 4.6.2.1023
- DataDirect Hybrid Data Pipeline On Premises Connector: through 4.6.2.1223, fixed in 4.6.2.1339
- DataDirect Hybrid Data Pipeline Docker: through 4.6.2.3316, fixed in 4.6.2.3430
- DataDirect OpenAccess JDBC Driver: through 8.1.0.0177, fixed in 8.1.0.0183
- DataDirect OpenAccess JDBC Driver: through 9.0.0.0019, fixed in 9.0.0.0022
Mitigation and Patch Steps
- Upgrade: Immediately upgrade to the fixed versions of the affected DataDirect Connect for JDBC drivers, DataDirect Hybrid Data Pipeline, and DataDirect OpenAccess JDBC Driver. See the affected versions section above.
- Restrict Access: Limit user control over JDBC connection parameters, especially the
SpyAttributesoption. Sanitize and validate any user-supplied input to prevent malicious code injection. - Web Server Configuration: Ensure that your web server configuration does not inadvertently serve log files with extensions like
.jsor other executable extensions. - Monitor: Implement robust monitoring and logging to detect any suspicious activity related to JDBC connections and log file access.
