Apache Superset: Improper Authorization Bypass via SQL Injection (CVE-2025-XXXXX) – High Severity

By /

Listen to this Post

How the CVE Works

The vulnerability (CVE-2025-XXXXX) in Apache Superset allows an authenticated attacker to bypass Row-Level Security (RLS) by injecting malicious SQL into the `sqlExpression` field. Superset’s RLS relies on SQL expressions to enforce data access restrictions, but improper input validation enables attackers to craft sub-queries that evade security checks. By manipulating these expressions, an attacker can execute arbitrary SQL, exposing restricted data. The flaw stems from insufficient sanitization of user-supplied SQL before execution in backend queries.

DailyCVE Form

Platform: Apache Superset
Version: < 4.1.2
Vulnerability: SQL Injection
Severity: High
Date: May 30, 2025

Prediction: Patch expected by June 15, 2025

What Undercode Say:

Exploitation Analysis

1. Exploit Vector:

  • Attacker authenticates into Superset.
  • Modifies `sqlExpression` in RLS rules via API or UI.
  • Injects malicious SQL (e.g., 1=1; SELECT FROM sensitive_data).
  • Bypasses RLS filters, accessing unauthorized data.

2. Proof of Concept (PoC):

import requests
target = "http://superset.target/api/security/rowlevel"
payload = {"sqlExpression": "1=1; SELECT FROM secrets"}
headers = {"Authorization": "Bearer <VALID_TOKEN>"}
response = requests.post(target, json=payload, headers=headers)
print(response.text)

Protection Measures

1. Immediate Mitigation:

  • Disable RLS if unused.
  • Apply WAF rules blocking SQL keywords in sqlExpression.

2. Permanent Fix:

  • Upgrade to Superset 4.1.2.
  • Sanitize inputs using parameterized queries: 
    from sqlalchemy import text
query = text("SELECT FROM table WHERE id = :id").bindparams(id=user_input)

3. Detection Commands:

  • Log Analysis: 
    grep "sqlExpression.SELECT" /var/log/superset/access.log
  • Database Audit: 
    SELECT FROM pg_stat_activity WHERE query LIKE '%sqlExpression%';

4. Post-Patch Verification:

  • Test RLS rules with malicious inputs.
  • Monitor for unusual query patterns.

Impact: Data exfiltration, privilege escalation.

Affected Configs: Superset instances with RLS enabled.

Patch Status: Confirmed in v4.1.2.

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top