CVE-2025-55674

A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leading to the disclosure of sensitive database information like the software version. This issue affects Apache Superset: before 5.0.0. Users are recommended to upgrade to version 5.0.0, which fixes the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/cn49ps15ny3g2b1qzdg5mj7hp47p5jdo	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*

History

18 Aug 2025, 18:25

Type	Values Removed	Values Added
Summary		(es) Una omisión de la función de seguridad DISALLOWED_SQL_FUNCTIONS en Apache Superset permite la ejecución de funciones SQL bloqueadas. Un atacante puede usar un bloque en línea especial para eludir la lista de denegados. Esto permite a un usuario con acceso a SQL Lab ejecutar funciones que estaban destinadas a estar deshabilitadas, lo que conlleva la divulgación de información confidencial de la base de datos, como la versión del software. Este problema afecta a Apache Superset: versiones anteriores a la 5.0.0. Se recomienda a los usuarios actualizar a la versión 5.0.0, que soluciona el problema.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
First Time		Apache superset Apache
CPE		cpe:2.3:a:apache:superset::::::::
References	~~() https://lists.apache.org/thread/cn49ps15ny3g2b1qzdg5mj7hp47p5jdo -~~	() https://lists.apache.org/thread/cn49ps15ny3g2b1qzdg5mj7hp47p5jdo - Mailing List, Vendor Advisory

14 Aug 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-14 14:15

Updated : 2025-08-18 18:25

NVD link : CVE-2025-55674

Mitre link : CVE-2025-55674

CVE.ORG link : CVE-2025-55674

JSON object : View

Products Affected

apache

superset

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2025-55674", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security@apache.org", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-14T14:15:34.743", "references": [{"url": "https://lists.apache.org/thread/cn49ps15ny3g2b1qzdg5mj7hp47p5jdo", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leading to the disclosure of sensitive database information like the software version.\n\nThis issue affects Apache Superset: before 5.0.0.\n\nUsers are recommended to upgrade to version 5.0.0, which fixes the issue."}, {"lang": "es", "value": "Una omisi\u00f3n de la funci\u00f3n de seguridad DISALLOWED_SQL_FUNCTIONS en Apache Superset permite la ejecuci\u00f3n de funciones SQL bloqueadas. Un atacante puede usar un bloque en l\u00ednea especial para eludir la lista de denegados. Esto permite a un usuario con acceso a SQL Lab ejecutar funciones que estaban destinadas a estar deshabilitadas, lo que conlleva la divulgaci\u00f3n de informaci\u00f3n confidencial de la base de datos, como la versi\u00f3n del software. Este problema afecta a Apache Superset: versiones anteriores a la 5.0.0. Se recomienda a los usuarios actualizar a la versi\u00f3n 5.0.0, que soluciona el problema."}], "lastModified": "2025-08-18T18:25:25.880", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8F0D7DF8-C23F-4DC3-A1D2-C3A9EA304A90", "versionEndExcluding": "5.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}