GHSA-fxgf-3xh6-m2pp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fxgf-3xh6-m2pp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-fxgf-3xh6-m2pp/GHSA-fxgf-3xh6-m2pp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-fxgf-3xh6-m2pp
- Aliases
- Published
- 2025-08-14T15:30:44Z
- Modified
- 2025-11-05T20:39:31Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Apache Superset has bypass of `DISALLOWED_SQL_FUNCTIONS` that allows execution of blocked SQL functions
- Details
-
A bypass of the DISALLOWEDSQLFUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leading to the disclosure of sensitive database information like the software version.
This issue affects Apache Superset: before 5.0.0.
Users are recommended to upgrade to version 5.0.0, which fixes the issue.
- Database specific
{ "github_reviewed_at": "2025-08-14T17:36:27Z", "nvd_published_at": "2025-08-14T14:15:34Z", "severity": "MODERATE", "cwe_ids": [ "CWE-89" ], "github_reviewed": true }- References
Affected packages
PyPI / apache-superset
Package
- Name
- apache-superset
- View open source insights on deps.dev
- Purl
- pkg:pypi/apache-superset
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.0.0
Affected versions
0.*
0.34.0
0.34.1
0.35.1
0.35.2
0.36.0
0.37.0
0.37.1
0.37.2
0.38.0
0.38.1
1.*
1.0.0
1.0.1
1.1.0
1.2.0
1.3.0
1.3.1
1.3.2
1.4.0
1.4.1
1.4.2
1.5.0
1.5.1
1.5.2
1.5.3
2.*
2.0.0
2.0.1
2.1.0
2.1.1rc1
2.1.1rc2
2.1.1rc3
2.1.1
2.1.2
2.1.3
3.*
3.0.0rc1
3.0.0rc2
3.0.0rc3
3.0.0rc4
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.1.0rc1
3.1.0rc2
3.1.0rc3
3.1.0rc4
3.1.0
3.1.1
3.1.2
3.1.3
4.*
4.0.0rc1
4.0.0rc2
4.0.0
4.0.1
4.0.2
4.1.0rc2
4.1.0rc3
4.1.0rc4
4.1.0
4.1.1rc1
4.1.1
4.1.2rc1
4.1.2
4.1.3rc1
4.1.3rc2
4.1.3.post1
4.1.4rc1
4.1.4
5.*
5.0.0rc1
5.0.0rc2
5.0.0rc3
5.0.0rc4