CVE-2025-48912: Apache Superset: Improper authorization bypass on row level security via SQL Injection

7.1 CVSS

Description

An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries to evade parsing defenses ultimately granting unauthorized access to data.

This issue affects Apache Superset: before 4.1.2.

Users are recommended to upgrade to version 4.1.2, which fixes the issue.

Classification

CVE ID: CVE-2025-48912

CVSS Base Severity: HIGH

CVSS Base Score: 7.1

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem Types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Affected Products

Vendor: Apache Software Foundation

Product: Apache Superset

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.11% (probability of being exploited)

EPSS Percentile: 29.89% (scored less or equal to compared to others)

EPSS Date: 2025-05-30 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-48912
https://lists.apache.org/thread/ms2t2oq218hb7l628trsogo4fj7h1135

Timeline

2025-05-30 09:40:13 UTC
CVE

Apache Superset: Improper authorization bypass on row level security via SQL Injection
2025-05-30 16:15:37 UTC
Github Advisory Database (PIP)

[apache-superset] Apache Superset: Improper authorization bypass on row level security via SQL Injection