SAP HANA JDBC Client Code Loading via Unvalidated Conn Props
CVE-2025-42895 Published on November 11, 2025

Code Injection vulnerability in SAP HANA JDBC Client
Due to insufficient validation of connection property values, the SAP HANA JDBC Client allows a high-privilege locally authenticated user to supply crafted parameters that lead to unauthorized code loading, resulting in low impact on confidentiality and integrity and high impact on availability of the application.

NVD

Vulnerability Analysis

CVE-2025-42895 can be exploited with local system access, requires user interaction and user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
HIGH

Weakness Type

What is a Code Injection Vulnerability?

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVE-2025-42895 has been classified to as a Code Injection vulnerability or weakness.


Products Associated with CVE-2025-42895

Want to know whenever a new CVE is published for SAP Hana? stack.watch will email you.

SAP Hana
 

Affected Versions

SAP_SE SAP HANA JDBC Client Version HDB_CLIENT 2.0 is affected by CVE-2025-42895

Exploit Probability

EPSS
0.02%
Percentile
6.17%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.