CVE-2025-5874 is a vulnerability identified in Redash versions up to 10.1.0 and 25.1.0, specifically affecting the run_query function within the /query_runner/python.py file. The vulnerability is related to a sandbox issue in the getattr handler, which could potentially allow an attacker to bypass sandbox restrictions. However, exploitation complexity is high, and the attack is considered difficult to execute. The vulnerability arises from the Python data source feature in Redash, which is disabled by default and explicitly discouraged in official documentation due to inherent security risks. Users who enable this feature do so with full awareness that it bypasses standard security safeguards. The vulnerability has a low CVSS 4.0 score of 2.1, reflecting low severity, with attack vector being adjacent network, high attack complexity, no user interaction required, and low impact on confidentiality, integrity, and availability. There are no known exploits in the wild, and the vendor has not provided patches yet. The public disclosure of the exploit exists, but the actual exploitability and impact remain questionable. Overall, this vulnerability represents a limited risk primarily to environments that have explicitly enabled the Python data source in Redash, which is not the default configuration due to its security implications.

For European organizations, the impact of CVE-2025-5874 is likely minimal under typical deployment scenarios because the vulnerable Python data source feature is disabled by default and clearly marked as insecure. Organizations that have enabled this feature to run custom Python queries within Redash could face risks of sandbox escape, potentially leading to unauthorized code execution or data access within the Redash environment. This could compromise the confidentiality and integrity of query results or underlying data sources. However, given the high complexity of exploitation and the absence of known active exploits, the immediate threat level is low. The vulnerability could be more relevant for organizations heavily reliant on Redash for business intelligence and data analytics, especially those integrating Python scripts for advanced querying. In such cases, a successful exploit might allow attackers to execute arbitrary code or access sensitive data, potentially impacting data-driven decision-making processes. Nonetheless, the overall risk remains constrained by the feature's disabled-by-default status and the requirement for local or adjacent network access with low privileges.

European organizations using Redash should ensure that the Python data source feature remains disabled unless absolutely necessary. If enabling this feature is required, it should be done only in tightly controlled environments with strict access controls and network segmentation to limit exposure. Monitoring and logging of query execution should be enhanced to detect any anomalous or unauthorized Python code execution. Organizations should apply the principle of least privilege to Redash users, restricting permissions to only those who require Python data source capabilities. Additionally, organizations should stay alert for vendor patches or updates addressing this vulnerability and apply them promptly once available. Implementing network-level controls to restrict access to Redash instances from trusted hosts only can further reduce risk. Finally, conducting security reviews and penetration tests focusing on Redash configurations and custom query execution can help identify and remediate potential exploitation paths.