Apache Superset: Improper SQL authorisation, parse not checking for specific engine functions

CVE-2025-55674 describes a vulnerability in Apache Superset, a business intelligence and data visualization platform [2]. The issue lies in the DISALLOWED_SQL_FUNCTIONS security feature, which is intended to block potentially dangerous SQL functions from being executed in the SQL Lab interface [1]. Specifically, an attacker can circumvent this denylist by using a special inline block, effectively bypassing the authorization check [3]. This allows functions that were meant to be disabled to be executed [1].

Exploitation

Prerequisites To exploit this vulnerability, an attacker must have access to SQL Lab, which requires a valid user account with appropriate permissions [1]. The attack does not require any special network position beyond being an authenticated user of the platform. The bypass is achieved by crafting a query using the aforementioned inline block technique [3].

Impact

Successful exploitation enables an attacker to execute SQL functions that were deliberately blocked by administrators. This can lead to the disclosure of sensitive database information, such as the database software version [1]. Depending on the database and the functions blocked, an attacker might gain further insight into the database schema or configuration, which could aid in additional attacks.

Mitigation

The vulnerability affects Apache Superset versions before 5.0.0 [1]. Users are strongly recommended to upgrade to version 5.0.0, which contains the fix. No workarounds have been provided, and upgrading is the only confirmed mitigation [1][3]. The vulnerability was reported by d47sec from NCS Viet Nam, coordinated by Pedro Sousa, and remediated by Beto Dealmeida [3].