Description

A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leading to the disclosure of sensitive database information like the software version. This issue affects Apache Superset: before 5.0.0. Users are recommended to upgrade to version 5.0.0, which fixes the issue.

INFO

Published Date :

2025-08-14T13:18:10.535Z

Last Modified :

2025-08-14T13:49:51.691Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2025-55674 vulnerability.

Vendors Products
Apache
  • Superset
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-55674.

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability