SB2025081945 - Multiple vulnerabilities in Apache Superset

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2025-55675)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to improper access restrictions within the "/explore" endpoint. A remote user can view metadata about datasources they do not have permission to access by iterating through the datasource_id in the URL.

2) Stored cross-site scripting (CVE-ID: CVE-2025-55672)

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when handling column labels. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

3) Protection Mechanism Failure (CVE-ID: CVE-2025-55674)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to insufficient implementation of security measures. A remote user with SQL Lab access can use a special inline block to circumvent the denylist and bypass the DISALLOWED_SQL_FUNCTIONS security feature.

Remediation

Install update from vendor's website.

References

• https://lists.apache.org/thread/op681b4kbd7g84tfjf9omz0sxggbcv33
• https://lists.apache.org/thread/rvh7fdjfzxzjhcfwoz7twc2brhvochdj
• https://lists.apache.org/thread/cn49ps15ny3g2b1qzdg5mj7hp47p5jdo