CVE-2025-46566: Java Case Sensitive Url Decode Blacklist Bypass
Case-sensitive String.contains() blacklist applied to a URL-decoded JDBC/connection URL is bypassable because JDBC drivers (Redshift, PostgreSQL, MySQL, etc.) parse connection parameter names case-insensitively. An attacker can change the case of a forbidden parameter (e.g. SocketFactory instead of socketFactory) to evade the filter and reach dangerous param
greprules fetch cve-2025-46566-java-case-sensitive-url-decode-blacklist-bypass --engine opengrepDescription
Case-sensitive String.contains() blacklist applied to a URL-decoded JDBC/connection URL is bypassable because JDBC drivers (Redshift, PostgreSQL, MySQL, etc.) parse connection parameter names case-insensitively. An attacker can change the case of a forbidden parameter (e.g. SocketFactory instead of socketFactory) to evade the filter and reach dangerous param
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.