CVE-2025-55674
📋 TL;DR
This vulnerability allows attackers to bypass Apache Superset's DISALLOWED_SQL_FUNCTIONS security feature using a special inline block technique. Users with SQL Lab access can execute SQL functions that should be blocked, potentially exposing sensitive database information like software versions. This affects all Apache Superset installations before version 5.0.0.
💻 Affected Systems
- Apache Superset
📦 What is this software?
Superset by Apache
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including exfiltration of sensitive data, privilege escalation, or remote code execution if vulnerable SQL functions are available.
Likely Case
Information disclosure of database metadata, software versions, and potentially sensitive data from accessible tables.
If Mitigated
Limited impact if proper network segmentation, minimal privileges, and query auditing are in place.
🎯 Exploit Status
Requires authenticated access to SQL Lab. Attackers need knowledge of the bypass technique and available SQL functions to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.0
Vendor Advisory: https://lists.apache.org/thread/cn49ps15ny3g2b1qzdg5mj7hp47p5jdo
Restart Required: No
Instructions:
1. Backup your Superset configuration and database. 2. Upgrade Apache Superset to version 5.0.0 or later using your package manager or installation method. 3. Verify the upgrade completed successfully. 4. Test SQL Lab functionality to ensure normal operation.
🔧 Temporary Workarounds
Disable SQL Lab Access
allTemporarily disable SQL Lab for all users to prevent exploitation while planning upgrade.
Set ENABLE_SQL_LAB = False in superset_config.py
Restrict User Permissions
allRemove SQL Lab access from non-essential users and implement principle of least privilege.
Use Superset's role-based access control to revoke 'can_sql_json' and 'can_sqllab' permissions from unnecessary users
🧯 If You Can't Patch
- Implement strict network access controls to limit Superset access to trusted IPs only
- Enable comprehensive SQL query logging and monitoring for suspicious activity
- Review and minimize user permissions, especially SQL Lab access
🔍 How to Verify
Check if Vulnerable:
Check your Apache Superset version. If it's below 5.0.0 and SQL Lab is enabled, you are vulnerable.Check Version:
Run: superset version or check the Superset web interface footerVerify Fix Applied:
After upgrading, verify the version is 5.0.0 or higher and test that SQL functions in the DISALLOWED_SQL_FUNCTIONS list are properly blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries containing inline blocks or bypass attempts
- Execution of SQL functions that should be blocked per DISALLOWED_SQL_FUNCTIONS configuration
- Multiple failed SQL function execution attempts followed by successful ones
Network Indicators:
- Unusual database query patterns from Superset application
- Increased data transfer from database to Superset
SIEM Query:
source="superset" AND ("DISALLOWED_SQL_FUNCTIONS" OR "sql_lab" OR "inline block") AND (status="success" OR result_count>threshold)