PyPI: apache-superset
CVE-2025-55674
Safety vulnerability ID: SFTY-20250819-16107
Safety legacy ID: pyup.io-78846
Affected versions of the Apache Superset package are vulnerable to Improper Input Validation due to insufficient filtering of SQL function calls. The DISALLOWED_SQL_FUNCTIONS security feature can be bypassed by using special inline blocks in SQL queries, allowing execution of functions that should be blocked by the denylist mechanism.
Overview
Apache Superset has bypass of `DISALLOWED_SQL_FUNCTIONS` that allows execution of blocked SQL functions
Advisory
Affected versions of the Apache Superset package are vulnerable to Improper Input Validation due to insufficient filtering of SQL function calls. The DISALLOWED_SQL_FUNCTIONS security feature can be bypassed by using special inline blocks in SQL queries, allowing execution of functions that should be blocked by the denylist mechanism.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20250819-16107/CVE-2025-55674
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55674
- https://github.com/advisories/GHSA-fxgf-3xh6-m2pp
- https://nvd.nist.gov/vuln/detail/CVE-2025-55674
- https://lists.apache.org/thread/cn49ps15ny3g2b1qzdg5mj7hp47p5jdo
- http://www.openwall.com/lists/oss-security/2025/08/14/5
- https://github.com/advisories/GHSA-fxgf-3xh6-m2pp
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more