CVE-2025-55674 is a medium-severity SQL Injection vulnerability affecting Apache Superset versions prior to 5.0.0. Apache Superset is an open-source data visualization and business intelligence platform widely used for interactive data exploration. The vulnerability arises from a bypass of the DISALLOWED_SQL_FUNCTIONS security feature, which is designed to prevent execution of certain potentially dangerous SQL functions. An attacker with SQL Lab access can exploit a special inline block syntax to circumvent the denylist, enabling execution of SQL functions that were intended to be blocked. This can lead to unauthorized disclosure of sensitive database information, such as the underlying database software version. The vulnerability does not require user interaction or elevated privileges beyond SQL Lab access, and can be exploited remotely over the network. The CVSS 4.0 score is 5.3 (medium), reflecting that the attack vector is network-based with low complexity and no authentication required beyond SQL Lab access, but the impact on confidentiality is limited to information disclosure without direct integrity or availability compromise. No known exploits are currently reported in the wild. The issue is fixed in Apache Superset version 5.0.0, and users are strongly advised to upgrade to this version to mitigate the risk.

For European organizations, this vulnerability poses a risk primarily to those using Apache Superset for data analytics and business intelligence. Unauthorized execution of blocked SQL functions can reveal sensitive database metadata, potentially aiding attackers in crafting further targeted attacks against backend databases. While the immediate impact is limited to information disclosure, this can facilitate escalation or lateral movement within an organization's network. Organizations handling sensitive or regulated data (e.g., financial, healthcare, or personal data under GDPR) could face compliance risks if such information is leaked. Additionally, attackers gaining insights into database versions might exploit other known vulnerabilities specific to those versions. The risk is heightened in environments where SQL Lab access is granted to multiple users or insufficiently controlled, increasing the attack surface. Given the widespread adoption of Apache Superset in Europe, especially in sectors leveraging data analytics, this vulnerability could affect a broad range of organizations if not promptly addressed.

1. Upgrade Apache Superset to version 5.0.0 or later immediately, as this version contains the fix for CVE-2025-55674. 2. Restrict SQL Lab access strictly to trusted and trained personnel, minimizing the number of users who can execute arbitrary SQL queries. 3. Implement strict role-based access controls (RBAC) within Superset to limit permissions and reduce exposure. 4. Monitor and audit SQL Lab query logs for unusual or suspicious queries that may indicate attempts to bypass security controls. 5. Employ database-level security measures such as limiting execution of potentially dangerous SQL functions at the database user or role level, adding an additional layer of defense. 6. Regularly review and update denylist configurations and security policies to ensure they are effective against emerging bypass techniques. 7. Conduct security awareness training for users with SQL Lab access to recognize and report suspicious activities. 8. Consider network segmentation and firewall rules to limit access to Superset instances from untrusted networks.