Summary
Chat2DB (server/web deployment mode) ships with three critical vulnerabilities that combine to allow unauthenticated Remote Code Execution (RCE):
- Default Hardcoded Admin Credentials (CWE-798) — Default admin login
chat2db:chat2db stored as plaintext in database migration and source code, with authentication bypass logic that skips bcrypt verification
- JDBC URL SSRF/RCE (CWE-918/CWE-94) —
preConnect endpoint passes user-controlled JDBC URL to Driver.connect() with zero validation. H2 driver bundled by default enables INIT=RUNSCRIPT → RCE
- Arbitrary JAR Upload + ClassLoader RCE (CWE-434/CWE-94) — Any authenticated user can upload arbitrary JARs and trigger class instantiation via
URLClassLoader.newInstance()
Combined Attack Chain
POST /api/oauth/login_a (chat2db:chat2db) → POST /api/connection/datasource/pre_connect (jdbc:h2:mem:test;INIT=RUNSCRIPT...) → RCE
Impact
- CVSS v3.1: 9.8 (Critical) / CVSS v4.0: 9.5 (Critical)
- Unauthenticated RCE on default deployments
- Full database access (Chat2DB manages other databases' credentials)
- API credential theft from SMS provider integrations
Severity
Critical
PoC
A complete PoC demonstrating the full attack chain has been sent via email to Chat2DB@ch2db.com and is available upon request to maintainers.
Remediation
- Remove default credentials — Require admin to set password on first launch, do not hardcode in SQL migrations
- Fix
validateAdmin() bypass — Remove plaintext comparison, always use bcrypt
- Validate JDBC URLs — Block H2 INIT/RUNSCRIPT, restrict to allowed database host patterns, validate URL scheme
- Restrict JAR uploads — Admin-only, content validation, signed JARs only
- Set environment variables — Document
ADMIN_NAME/ADMIN_PASSWORD as required for production deployments
References
- CWE-798: Use of Hard-coded Credentials
- CWE-918: Server-Side Request Forgery
- CWE-94: Code Injection
- CWE-434: Unrestricted Upload of File with Dangerous Type
We request CVE assignment for these vulnerabilities.
Discoverer
IcySun icysun@qq.com
Manual code review and verification completed.
Summary
Chat2DB (server/web deployment mode) ships with three critical vulnerabilities that combine to allow unauthenticated Remote Code Execution (RCE):
chat2db:chat2dbstored as plaintext in database migration and source code, with authentication bypass logic that skips bcrypt verificationpreConnectendpoint passes user-controlled JDBC URL toDriver.connect()with zero validation. H2 driver bundled by default enablesINIT=RUNSCRIPT→ RCEURLClassLoader.newInstance()Combined Attack Chain
Impact
Severity
Critical
PoC
A complete PoC demonstrating the full attack chain has been sent via email to Chat2DB@ch2db.com and is available upon request to maintainers.
Remediation
validateAdmin()bypass — Remove plaintext comparison, always use bcryptADMIN_NAME/ADMIN_PASSWORDas required for production deploymentsReferences
We request CVE assignment for these vulnerabilities.
Discoverer
IcySun icysun@qq.com
Manual code review and verification completed.