Vulnerability DatabaseCVE-2025-55673
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-55673
August 14, 2025
When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privileged guest user. This issue affects Apache Superset: before 4.1.3. Users are recommended to upgrade to version 4.1.3, which fixes the issue.
Affected Packages
https://github.com/apache/superset.git (GITHUB):
Affected version(s) >=0.2.0 <4.1.3
Fix Suggestion:
Update to version 4.1.3
apache-superset (PYTHON):
Affected version(s) >=0.34.0 <4.1.3
Fix Suggestion:
Update to version 4.1.3
apache-superset (PYTHON):
Affected version(s) >=0.34.0 <4.1.3.post1
Fix Suggestion:
Update to version 4.1.3.post1
Related Resources (2)
https://seclists.org/oss-sec/2025/q3/105
https://lists.apache.org/thread/h2hw756wk4sj4z49blvzkr5fntl9hlf8
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Exposure of Sensitive Information to an Unauthorized Actor
CWE-200
EPSS
Base Score:
0.20