-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| apache-superset | pip | < 4.1.2 | 4.1.2 |
Miggo AIRoot Cause AnalysisThe vulnerability CVE-2025-48912 describes an SQL injection in Apache Superset's 'sqlExpression' fields, allowing bypass of row-level security. The fix is in version 4.1.2. Commit 5e7299431d8b03070f54dd5bf3593e8b445da096 (fix(dataset): use sqlglot for DML check), part of the 4.1.2 release, modifies the get_virtual_table_metadata function in superset/connectors/sqla/utils.py. This function is responsible for processing SQL for virtual datasets, which can involve user-defined 'sqlExpression'. The patch replaces the existing SQL parsing and validation mechanism with sqlglot, a more robust SQL parser, specifically to check for DML statements (mutations). This change directly addresses the vulnerability by improving the detection and prevention of malicious SQL that could be injected through 'sqlExpression', thereby preventing the bypass of security measures like row-level security. The function get_virtual_table_metadata is therefore identified as a vulnerable function prior to this patch because it handled potentially malicious SQL input without sufficient validation.
PythonPythonOngoing coverage of React2Shell