Moderate severityNVD Advisory· Published Aug 14, 2025· Updated Nov 4, 2025
Apache Superset: Metadata exposure in embedded charts
CVE-2025-55673
Description
When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privileged guest user.
This issue affects Apache Superset: before 4.1.3.
Users are recommended to upgrade to version 4.1.3, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-supersetPyPI | < 4.1.3.post1 | 4.1.3.post1 |
Affected products
9- osv-coords8 versionspkg:apk/chainguard/superset-4.1pkg:apk/chainguard/superset-4.1-entrypointpkg:apk/chainguard/superset-4.1-iamguarded-compatpkg:apk/wolfi/superset-4.1pkg:apk/wolfi/superset-4.1-entrypointpkg:apk/wolfi/superset-4.1-iamguarded-compatpkg:bitnami/supersetpkg:pypi/apache-superset
< 0+ 7 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 4.1.3
- (no CPE)range: < 4.1.3.post1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-9g5x-mm39-wg9rghsaADVISORY
- lists.apache.org/thread/h2hw756wk4sj4z49blvzkr5fntl9hlf8ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-55673ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/08/14/3ghsaWEB
News mentions
0No linked articles in our index yet.