VYPR
Moderate severityNVD Advisory· Published Aug 14, 2025· Updated Nov 4, 2025

Apache Superset: Improper SQL authorisation, parse not checking for specific engine functions

CVE-2025-55674

Description

A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leading to the disclosure of sensitive database information like the software version.

This issue affects Apache Superset: before 5.0.0.

Users are recommended to upgrade to version 5.0.0, which fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
apache-supersetPyPI
< 5.0.05.0.0

Affected products

7

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.