CVE-2025-55674 MEDIUM

CVE-2025-55674: Apache Superset: Improper SQL authorisation, parse not checking for specific engine functions

Vendor Apache Software Foundation

Product Apache Superset

Weakness CWE-89 · SQLi

Published August 14, 2025

Last update November 4, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leading to the disclosure of sensitive database information like the software version. This issue affects Apache Superset: before 5.0.0. Users are recommended to upgrade to version 5.0.0, which fixes the issue.

Key dates

Disclosure timeline

August 14, 2025 CVE published

November 4, 2025 Record updated