Apache Superset: Improper authorization bypass on row level security via SQL Injection

Vulnerability

Description

CVE-2025-48912 is an improper authorization bypass vulnerability in Apache Superset before version 4.1.2. An authenticated attacker can craft requests that inject malicious SQL into 'sqlExpression' fields, which are used for row-level security (RLS) filtering. The vulnerability arises because the parser does not adequately sanitize or parse sub-queries within these expressions, allowing the injection to bypass intended RLS restrictions.

Attack

Vector

Exploitation requires an authenticated user account within Apache Superset. The attacker does not need administrative privileges; any authenticated user can submit specially crafted requests containing injected sub-queries in 'sqlExpression' fields. This can be done through the application's interface or API. The attacker manipulates the SQL expression to include sub-queries that evade the existing parsing defenses, effectively circumventing the row-level security configuration.

Impact

Successful exploitation allows the authenticated attacker to execute arbitrary sub-queries, leading to unauthorized access to data that should be restricted by row-level security policies. This could mean reading, modifying, or exfiltrating data from tables or rows the attacker is not permitted to access. The impact is a breach of data confidentiality and potentially integrity, depending on the database permissions.

Mitigation

The Apache Superset project has released version 4.1.2, which fixes this issue by improving the parsing defenses in 'sqlExpression' fields to block sub-query injection attempts. Users are strongly recommended to upgrade to this version as soon as possible. No workarounds are mentioned in the advisories [1][3].