CVE-2025-48912NVD

Vulnerability Summary

An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries to evade parsing defenses ultimately granting unauthorized access to data.

This issue affects Apache Superset: before 4.1.2.

Users are recommended to upgrade to version 4.1.2, which fixes the issue.

Severity Level

HIGH(7.1)

Published Date

May 30, 2025

Last Modified

Jun 4, 2025

Exploitation Status

????

EPSS Score (30-Day)

Data Pending

Root Weakness (CWE)

CWE-89: SQL Injection ↗

Improper neutralization of special elements used in an SQL command, allowing attackers to modify queries.

CVSS v4.0 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionNone

External References

https://lists.apache.org/thread/ms2t2oq218hb7l628trsogo4fj7h1135
http://www.openwall.com/lists/oss-security/2025/05/30/3

Critical Alert

CVE Watchtower

CVE-2025-48912NVD

Vulnerability Summary

External References