Apache · Apache Superset · CVE-2025-55674
Name of the Vulnerable Software and Affected Versions:
Apache Superset versions prior to 5.0.0
Description:
A bypass of the `DISALLOWED SQL FUNCTIONS` security feature allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, potentially leading to the disclosure of sensitive database information, such as the software version.
Recommendations:
Upgrade to version 5.0.0.