CVE-2025-55672 is a stored Cross-Site Scripting (XSS) vulnerability identified in Apache Superset, an open-source data visualization and business intelligence platform maintained by the Apache Software Foundation. The vulnerability arises from improper neutralization of script-related HTML tags (CWE-80) in the chart visualization component. Specifically, an authenticated user with permissions to edit charts can inject malicious JavaScript payloads into a column's label. These payloads are not properly sanitized or escaped, allowing the malicious script to execute in the browsers of other users who view or interact with the affected chart, particularly when they hover over the chart elements. This execution can lead to session hijacking, unauthorized actions performed on behalf of the victim user, or other arbitrary command executions within the context of the victim's browser session. The vulnerability affects all versions of Apache Superset prior to version 5.0.0, which includes all releases before the fix was introduced. The CVSS v4.0 base score is 5.3 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, no user interaction, but does require privileges (authenticated user with edit permissions). The impact on confidentiality is limited but non-negligible due to potential session hijacking, while integrity and availability impacts are low. No known exploits are reported in the wild as of the publication date (August 14, 2025). The recommended remediation is to upgrade to Apache Superset version 5.0.0 or later, where the input sanitization issue has been addressed to prevent script injection in chart labels.

For European organizations using Apache Superset for data analytics and visualization, this vulnerability poses a moderate risk. Since exploitation requires an authenticated user with chart editing permissions, insider threats or compromised accounts could be leveraged to inject malicious scripts. The impact includes potential session hijacking of other users viewing the dashboards, which could lead to unauthorized data access or manipulation, especially in environments where sensitive business intelligence data is displayed. This could undermine data confidentiality and trust in reporting tools. Additionally, attackers could execute arbitrary commands in the victim's browser context, potentially enabling further lateral movement or data exfiltration. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on Superset for decision-making dashboards could face reputational damage and regulatory consequences if sensitive data is exposed or manipulated. The medium severity rating suggests that while the vulnerability is not trivially exploitable by unauthenticated attackers, the risk is significant enough to warrant prompt remediation to avoid exploitation in environments with multiple users and varying privilege levels.

1. Immediate upgrade to Apache Superset version 5.0.0 or later, where the vulnerability is fixed by proper input sanitization and output encoding of chart labels. 2. Implement strict access controls and role-based permissions to limit chart editing capabilities only to trusted users, reducing the risk of malicious payload injection. 3. Conduct regular audits of existing charts and dashboards to identify and sanitize any potentially malicious or suspicious content in labels or metadata. 4. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of any residual XSS vulnerabilities. 5. Monitor user activity logs for unusual behavior indicative of exploitation attempts, such as unexpected chart edits or anomalous session activity. 6. Educate users with editing privileges about the risks of injecting untrusted content and enforce secure development and content creation practices within dashboards. 7. Consider deploying web application firewalls (WAF) with rules tuned to detect and block XSS payloads targeting Superset interfaces.