High severityNVD Advisory· Published May 30, 2025· Updated May 31, 2025
Apache Superset: Improper authorization bypass on row level security via SQL Injection
CVE-2025-48912
Description
An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries to evade parsing defenses ultimately granting unauthorized access to data.
This issue affects Apache Superset: before 4.1.2.
Users are recommended to upgrade to version 4.1.2, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-supersetPyPI | < 4.1.2 | 4.1.2 |
Affected products
3- osv-coords2 versions
< 4.1.2+ 1 more
- (no CPE)range: < 4.1.2
- (no CPE)range: < 4.1.2
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-8w7f-8pr9-xgwjghsaADVISORY
- lists.apache.org/thread/ms2t2oq218hb7l628trsogo4fj7h1135ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-48912ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/05/30/3ghsaWEB
News mentions
0No linked articles in our index yet.