Apache Superset is an open-source data visualization and business intelligence platform widely used for interactive data exploration. CVE-2025-55674 is a vulnerability classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command, i.e., SQL Injection). The issue arises from a bypass of the DISALLOWED_SQL_FUNCTIONS security feature, which is designed to prevent execution of potentially dangerous SQL functions. An attacker with access to SQL Lab can craft a special inline block that circumvents this denylist, allowing execution of SQL functions that should be blocked. This bypass can lead to unauthorized disclosure of sensitive information stored in the database, such as the database software version, which can aid further attacks. The vulnerability affects all versions of Apache Superset before 5.0.0. The CVSS 4.0 base score is 5.3, reflecting medium severity, with attack vector as network, low attack complexity, no privileges required beyond SQL Lab access, and no user interaction needed. The scope and impact are limited to confidentiality leakage without affecting integrity or availability. No known public exploits have been reported yet. The recommended remediation is to upgrade to Apache Superset version 5.0.0, which contains the fix for this vulnerability.

For European organizations using Apache Superset, this vulnerability poses a risk of unauthorized data disclosure, specifically sensitive database metadata that could facilitate further attacks. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, may face compliance risks if sensitive information is leaked. Since the vulnerability can be exploited remotely by any user with SQL Lab access, insider threats or compromised accounts could lead to data exposure. Although the vulnerability does not directly impact data integrity or availability, the information disclosure could be leveraged by attackers to escalate privileges or conduct targeted attacks. The medium severity suggests a moderate risk, but the widespread use of Apache Superset in data analytics environments across Europe increases the potential impact. Organizations relying on Superset for critical business intelligence should prioritize patching to prevent exploitation.

1. Upgrade Apache Superset to version 5.0.0 or later immediately, as this version contains the official fix for CVE-2025-55674. 2. Restrict SQL Lab access strictly to trusted and trained users, minimizing the number of accounts with such privileges. 3. Implement network segmentation and access controls to limit exposure of Superset instances to only necessary users and systems. 4. Monitor SQL Lab usage logs for unusual or unauthorized query patterns that may indicate attempts to exploit this vulnerability. 5. Employ database activity monitoring solutions to detect anomalous SQL function executions. 6. Review and harden database user permissions to limit the impact of any unauthorized SQL function execution. 7. Educate users with SQL Lab access about safe query practices and the risks of executing untrusted SQL commands. 8. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious inline block patterns used in the bypass.