7.1

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-48912

GHSA ID

GHSA-8w7f-8pr9-xgwj

EPSS Score

0.28349%

CWE

CWE-89

Published

5/30/2025

Updated

5/30/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-48912

CVE-2025-48912: Apache Superset: Improper authorization bypass on row level security via SQL Injection

An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries to evade parsing defenses ultimately granting unauthorized access to data.

This issue affects Apache Superset: before 4.1.2.

Users are recommended to upgrade to version 4.1.2, which fixes the issue.

(GitHub Advisory)

7.1

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-48912

GHSA ID

GHSA-8w7f-8pr9-xgwj

EPSS Score

0.28349%

CWE

CWE-89

Published

5/30/2025

Updated

5/30/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
apache-superset	pip	< 4.1.2	4.1.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability CVE-2025-48912 describes an SQL injection in Apache Superset's 'sqlExpression' fields, allowing bypass of row-level security. The fix is in version 4.1.2. Commit 5e7299431d8b03070f54dd5bf3593e8b445da096 (fix(dataset): use sqlglot for DML check), part of the 4.1.2 release, modifies the get_virtual_table_metadata function in superset/connectors/sqla/utils.py. This function is responsible for processing SQL for virtual datasets, which can involve user-defined 'sqlExpression'. The patch replaces the existing SQL parsing and validation mechanism with sqlglot, a more robust SQL parser, specifically to check for DML statements (mutations). This change directly addresses the vulnerability by improving the detection and prevention of malicious SQL that could be injected through 'sqlExpression', thereby preventing the bypass of security measures like row-level security. The function get_virtual_table_metadata is therefore identified as a vulnerable function prior to this patch because it handled potentially malicious SQL input without sufficient validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *ut**nti**t** m*li*ious **tor usin* sp**i*lly *r**t** r*qu*sts *oul* *yp*ss row l*v*l s**urity *on*i*ur*tion *y inj**tin* SQL into 'sql*xpr*ssion' *i*l*s. T*is *llow** t** *x**ution o* su*-qu*ri*s to *v*** p*rsin* ****ns*s ultim*t*ly *r*ntin* un*u

Reasoning

T** vuln*r**ility *V*-****-***** **s*ri**s *n SQL inj**tion in *p**** Sup*rs*t's 'sql*xpr*ssion' *i*l*s, *llowin* *yp*ss o* row-l*v*l s**urity. T** *ix is in v*rsion *.*.*. *ommit `****************************************` (*ix(**t*s*t): us* sql*lot

7.1

Basic Information

Concerned about an active attack path?

CVE-2025-48912: Apache Superset: Improper authorization bypass on row level security via SQL Injection

7.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI