CVE-2025-55675
📋 TL;DR
Apache Superset has an improper access control vulnerability where authenticated users can enumerate protected datasources they shouldn't access. By manipulating the datasource_id parameter in the /explore endpoint, attackers can discover metadata about sensitive datasources. This affects all Apache Superset instances before version 5.0.0.
💻 Affected Systems
- Apache Superset
📦 What is this software?
Superset by Apache
⚠️ Risk & Real-World Impact
Worst Case
Attackers map all sensitive datasources, identify high-value targets, and use this reconnaissance to plan further attacks against the discovered data sources.
Likely Case
Unauthorized users discover the existence and names of protected datasources, potentially exposing sensitive business intelligence, customer data, or proprietary information.
If Mitigated
Only authorized users can access datasource metadata, preventing information disclosure about protected resources.
🎯 Exploit Status
Requires authenticated access and manual enumeration through datasource_id parameter manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.0
Vendor Advisory: https://lists.apache.org/thread/op681b4kbd7g84tfjf9omz0sxggbcv33
Restart Required: No
Instructions:
1. Backup your Superset instance and database. 2. Upgrade to Apache Superset version 5.0.0 or later. 3. Verify the upgrade completed successfully. 4. Test critical functionality.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock enumeration attempts by rate limiting or blocking suspicious patterns of /explore endpoint requests with sequential datasource_id parameters.
Access Control Enhancement
allImplement additional authorization middleware to validate datasource access permissions before returning metadata.
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to Superset instances
- Enforce strong authentication and monitor for unusual enumeration patterns in access logs
🔍 How to Verify
Check if Vulnerable:
Test authenticated access to /explore endpoint with different datasource_id values to see if metadata is returned without proper authorization checks.Check Version:
superset versionVerify Fix Applied:
After upgrading to 5.0.0+, attempt the same enumeration and verify that unauthorized datasource metadata requests are properly blocked.📡 Detection & Monitoring
Log Indicators:
- Multiple sequential requests to /explore endpoint with different datasource_id parameters from same user
- Access denied errors for datasource metadata requests
Network Indicators:
- Pattern of HTTP GET requests to /explore with incrementing numeric parameters
SIEM Query:
source='apache_superset' AND url_path='/explore' AND datasource_id=* | stats count by src_ip, user | where count > threshold