PyPI: apache-superset
CVE-2025-55673
Safety vulnerability ID: SFTY-20250819-07401
Safety legacy ID: pyup.io-78845
Affected versions of the Apache Superset package are vulnerable to Information Disclosure due to improper access control on query metadata. The `/chart/data` endpoint returns a query field in its API response payload when guest users access charts, exposing database schema information, including table names that should not be accessible to low-privileged users.
Overview
Apache Superset data query improperly discloses database schema information to low-privileged guest user
Advisory
Affected versions of the Apache Superset package are vulnerable to Information Disclosure due to improper access control on query metadata. The `/chart/data` endpoint returns a query field in its API response payload when guest users access charts, exposing database schema information, including table names that should not be accessible to low-privileged users.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20250819-07401/CVE-2025-55673
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55673
- https://github.com/advisories/GHSA-9g5x-mm39-wg9r
- https://nvd.nist.gov/vuln/detail/CVE-2025-55673
- https://lists.apache.org/thread/h2hw756wk4sj4z49blvzkr5fntl9hlf8
- http://www.openwall.com/lists/oss-security/2025/08/14/3
- https://github.com/advisories/GHSA-9g5x-mm39-wg9r
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more