Moderate severityNVD Advisory· Published Aug 14, 2025· Updated Nov 4, 2025
Apache Superset: Improper SQL authorisation, parse not checking for specific engine functions
CVE-2025-55674
Description
A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leading to the disclosure of sensitive database information like the software version.
This issue affects Apache Superset: before 5.0.0.
Users are recommended to upgrade to version 5.0.0, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-supersetPyPI | < 5.0.0 | 5.0.0 |
Affected products
7- osv-coords6 versionspkg:apk/chainguard/superset-4.1-entrypointpkg:apk/chainguard/superset-4.1-iamguarded-compatpkg:apk/wolfi/superset-4.1-entrypointpkg:apk/wolfi/superset-4.1-iamguarded-compatpkg:bitnami/supersetpkg:pypi/apache-superset
< 4.1.4-r2+ 5 more
- (no CPE)range: < 4.1.4-r2
- (no CPE)range: < 4.1.4-r2
- (no CPE)range: < 4.1.4-r2
- (no CPE)range: < 4.1.4-r2
- (no CPE)range: < 5.0.0
- (no CPE)range: < 5.0.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-fxgf-3xh6-m2ppghsaADVISORY
- lists.apache.org/thread/cn49ps15ny3g2b1qzdg5mj7hp47p5jdoghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-55674ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/08/14/5ghsaWEB
News mentions
0No linked articles in our index yet.