CVE-2025-55674 — SQL Injection in Software Foundation Apache Superset

CWE-89 — SQL Injection4 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.1%

top 75.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Superset Apache Superset

Timeline

PublishedAug 14

Description

A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leading to the disclosure of sensitive database information like the software version. This issue affects Apache Superset: before 5.0.0. Users are recommended to upgrade to version 5.0.0, which fixes the …

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶CVEListV5apache_software_foundation/apache_superset< 5.0.0

▶NVDapache/superset< 5.0.0

🔴Vulnerability Details

CVEList

Apache Superset: Improper SQL authorisation, parse not checking for specific engine functions↗2025-08-14

▶

GHSA

Apache Superset has bypass of `DISALLOWED_SQL_FUNCTIONS` that allows execution of blocked SQL functions↗2025-08-14

▶

OSV

Apache Superset has bypass of `DISALLOWED_SQL_FUNCTIONS` that allows execution of blocked SQL functions↗2025-08-14

▶