CVE-2025-55674 – apache-superset

Package

Manager: pip
Name: apache-superset
Vulnerable Version: >=0 <5.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00049 pctl0.14719

Details

Apache Superset has bypass of `DISALLOWED_SQL_FUNCTIONS` that allows execution of blocked SQL functions A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leading to the disclosure of sensitive database information like the software version. This issue affects Apache Superset: before 5.0.0. Users are recommended to upgrade to version 5.0.0, which fixes the issue.

Metadata

Created: 2025-08-14T15:30:44Z
Modified: 2025-08-14T17:36:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-fxgf-3xh6-m2pp/GHSA-fxgf-3xh6-m2pp.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-fxgf-3xh6-m2pp
Finding: F297
Auto approve: 1