Scan free
Pending AnalysisCVE-2025-11159

CVE-2025-11159: External Script Execution in H2 JDBC Driver

Platform

java

Component

h2database

Fixed in

11.0

View on NVD
Save

CVE-2025-11159 describes a critical external script execution vulnerability affecting the H2 Database JDBC Driver. This flaw allows an attacker to execute arbitrary code when a new connection is established by a data source administrator. The vulnerability impacts all versions of Hitachi Vantara Pentaho Data Integration & Analytics that utilize the vulnerable JDBC driver (versions 1.0.0 through 11.0). A fix is available in version 11.0.

Java / Maven

Detect this CVE in your project

Upload your pom.xml file and we'll tell you instantly if you're affected.

Upload pom.xmlSupported formats: pom.xml · build.gradle

Impact and Attack Scenarios

Successful exploitation of CVE-2025-11159 allows an attacker to gain complete control over the affected system. By crafting a malicious JDBC connection request, an attacker can execute arbitrary code within the context of the Pentaho Data Integration & Analytics application. This could lead to data breaches, system compromise, and potentially lateral movement within the network. The impact is particularly severe because the vulnerability is triggered during connection creation, a common and often trusted operation. The ability to execute code on the server hosting Pentaho opens the door to a wide range of malicious activities, including data exfiltration, denial of service, and installation of persistent backdoors. This vulnerability shares similarities with other JDBC injection vulnerabilities where malicious SQL or code can be injected through connection parameters.

Exploitation Context

CVE-2025-11159 is currently not listed on KEV (Kernel Exploit Verification). The EPSS (Exploit Prediction Scoring System) score is pending evaluation. No public Proof-of-Concept (PoC) exploits have been publicly disclosed as of the publication date. CISA and the NVD (National Vulnerability Database) published this CVE on 2026-05-13, indicating that the vulnerability is newly disclosed and actively being assessed for potential exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H9.1CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componenth2database
VendorHitachi Vantara
Minimum version1.0.0
Maximum version11.0
Fixed in11.0

Weakness Classification (CWE)

CWE-1395

Timeline

  1. Reserved
  2. Published

Mitigation and Workarounds

The primary mitigation for CVE-2025-11159 is to upgrade Pentaho Data Integration & Analytics to a version that includes the patched H2 Database JDBC Driver (version 11.0 or later). If immediate upgrading is not possible, consider restricting access to the data source administrator functionality to trusted users only. Implement strict input validation on all connection parameters to prevent malicious code injection. While not a complete solution, a Web Application Firewall (WAF) configured to inspect JDBC connection requests for suspicious patterns could provide a layer of defense. Monitor Pentaho logs for unusual connection attempts or errors that might indicate exploitation. After upgrading, confirm the fix by attempting to create a new JDBC connection with a potentially malicious payload – it should be rejected.

How to fix

Actualice el controlador JDBC de H2 a la versión 10.2.0.7 o superior, o a la versión 11.0 o superior, para mitigar la vulnerabilidad de ejecución de scripts externos.  Verifique la configuración de la fuente de datos para asegurar que solo usuarios autorizados puedan crear nuevas conexiones. Consulte la documentación de Hitachi Vantara Pentaho para obtener instrucciones específicas de actualización.

Frequently asked questions

What is CVE-2025-11159 — External Script Execution in H2 JDBC Driver?

CVE-2025-11159 is a critical vulnerability in the H2 Database JDBC Driver affecting versions 1.0.0–11.0. It allows an attacker to execute arbitrary code through a malicious JDBC connection request, impacting Pentaho Data Integration & Analytics deployments.

Am I affected by CVE-2025-11159 in H2 JDBC Driver?

You are affected if you use Hitachi Vantara Pentaho Data Integration & Analytics and are using the H2 Database JDBC Driver in versions 1.0.0 through 11.0. Verify your Pentaho version and JDBC driver version to determine your risk.

How do I fix CVE-2025-11159 in H2 JDBC Driver?

Upgrade Pentaho Data Integration & Analytics to a version that includes the patched H2 Database JDBC Driver (version 11.0 or later). Restrict data source administrator access and validate connection parameters as an interim measure.

Is CVE-2025-11159 being actively exploited?

As of the publication date, no public Proof-of-Concept (PoC) exploits have been publicly disclosed. However, given the vulnerability's criticality, active exploitation is possible and should be monitored for.

Where can I find the official Hitachi Vantara advisory for CVE-2025-11159?

Refer to the Hitachi Vantara security advisory for CVE-2025-11159, which can be found on the Hitachi Vantara support website. Search for 'CVE-2025-11159 Hitachi Vantara' to locate the relevant advisory.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
Java / Maven

Detect this CVE in your project

Upload your pom.xml file and we'll tell you instantly if you're affected.

Upload pom.xmlSupported formats: pom.xml · build.gradle
livefree scan

Scan your Java / Maven project now — no account

Upload your pom.xml and get the vulnerability report instantly. No account. Uploading the file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...