CVE-2025-55672 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-80, found in Apache Superset's chart visualization component prior to version 5.0.0. The flaw exists because the application fails to properly neutralize script-related HTML tags embedded in chart column labels. An authenticated user with permissions to edit charts can inject malicious JavaScript payloads into these labels. When other users view or hover over the affected charts, the payload executes in their browsers. This can lead to session hijacking, unauthorized actions performed on behalf of the victim, or other arbitrary command executions within the context of the victim's session. The vulnerability requires the attacker to have low privileges (chart editing rights) but does not require user interaction beyond viewing or hovering over the chart. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond chart editing, no user interaction, and low impact on confidentiality, integrity, and availability, resulting in a medium severity score of 5.3. No known exploits have been reported in the wild, but the risk remains significant in multi-user environments. The issue is resolved in Apache Superset version 5.0.0, which implements proper sanitization of HTML content in chart labels.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Apache Superset for business intelligence and data visualization across multiple users. Exploitation could allow an insider or compromised user with chart editing rights to execute malicious scripts in the browsers of other users, potentially leading to session hijacking, unauthorized data access, or manipulation of displayed data. This could compromise the confidentiality and integrity of sensitive business data and analytics. In regulated industries such as finance, healthcare, or government sectors within Europe, such breaches could lead to compliance violations under GDPR and other data protection laws, resulting in legal and financial penalties. Additionally, the attack could be used as a foothold for further lateral movement within an organization’s network. The medium CVSS score reflects moderate risk but should not be underestimated given the potential for targeted attacks in environments with sensitive data.

European organizations should immediately upgrade Apache Superset installations to version 5.0.0 or later, where this vulnerability is patched. Until the upgrade is applied, restrict chart editing permissions strictly to trusted users to minimize the risk of malicious payload injection. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers accessing Superset dashboards. Conduct regular audits of chart configurations to detect suspicious or unexpected HTML content in labels. Educate users about the risks of interacting with untrusted charts and monitor logs for unusual activities related to chart editing or viewing. Additionally, consider isolating Superset instances within secure network segments and enforcing strong authentication and session management controls to reduce the impact of potential session hijacking. Finally, keep abreast of any emerging exploit reports or patches related to this vulnerability.