Platform
docker
Component
docker
Fixed in
6.0.1
6.0.1
6.0.2
6.0.1
6.0.2
6.0.2
6.0.1
6.0.1
6.0.1
6.0.1
6.0.1
6.0.1
6.0.1
6.0.1
6.1.1
5.1.5
6.0.1
6.0.1
6.0.1
5.1.5
6.0.1
5.1.5
6.0.1
6.0.1
6.0.2
5.1.5
6.0.2
4.6.3
4.6.3
4.6.3
4.6.3
8.1.1
9.0.1
CVE-2025-10702 describes a Code Injection vulnerability affecting Progress DataDirect Connect for JDBC, DataDirect Open Access JDBC, and DataDirect Hybrid Data Pipeline JDBC drivers. This vulnerability allows for Remote Code Inclusion (RCI) through the exploitation of an undocumented syntax within the SpyAttribute connection option. Affected versions are those prior to the patch released on 2025-11-19. Immediate action is recommended to prevent potential compromise.
The vulnerability lies in the improper handling of the SpyAttribute connection option. This option, intended for debugging and monitoring purposes, contains an undocumented syntax that attackers can exploit. By crafting malicious input for this option, an attacker can inject and execute arbitrary code on the server hosting the JDBC driver. This could lead to complete system compromise, including data exfiltration, privilege escalation, and the installation of persistent malware. The blast radius extends to any application utilizing these JDBC drivers, particularly those allowing user-controlled input to influence connection parameters. This is similar in concept to other JDBC injection vulnerabilities where improperly sanitized connection strings are exploited.
CVE-2025-10702 was publicly disclosed on 2025-11-19. The EPSS score is currently pending evaluation, but the nature of the vulnerability (Remote Code Inclusion) suggests a potentially high probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's severity warrants immediate attention. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
0.35% (57% percentile)
CISA SSVC
The primary mitigation is to upgrade to a patched version of the DataDirect JDBC drivers. Progress has released a fix on 2025-11-19; ensure your environment is updated to this version or later. As a temporary workaround, if upgrading is not immediately feasible, consider disabling the SpyAttribute option entirely if it is not essential for your application's functionality. Review your application's code to ensure that any user-supplied data used in constructing JDBC connection strings is properly validated and sanitized. Implement Web Application Firewall (WAF) rules to block requests containing suspicious patterns in the SpyAttribute parameter.
Update Progress DataDirect Connect for JDBC, DataDirect Open Access JDBC driver and Hybrid Data Pipeline drivers to the latest available version. This will resolve the code injection vulnerability. Refer to the Progress security bulletin for more details and specific upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-10702 is a Code Injection vulnerability affecting Progress DataDirect JDBC drivers, allowing Remote Code Inclusion through the SpyAttribute connection option.
You are affected if you are using Progress DataDirect JDBC drivers prior to version 2025-11-19 and the SpyAttribute option is enabled or potentially accessible to user input.
Upgrade to a patched version of the DataDirect JDBC drivers released on 2025-11-19 or later. As a temporary workaround, disable the SpyAttribute option if it's not essential.
No public exploitation has been confirmed, but the vulnerability's severity warrants immediate attention and proactive mitigation.
Refer to the Progress Security Advisory for detailed information and the latest updates: [https://www.progress.com/security-advisories](https://www.progress.com/security-advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Dockerfile file and we'll tell you instantly if you're affected.