CVE-2024-53947 Overview
CVE-2024-53947 is a SQL injection vulnerability in Apache Superset that allows authenticated users to bypass the application's SQL authorization controls. The flaw exists because certain engine-specific PostgreSQL functions were not included in the disallowed functions list. This issue is a follow-up to CVE-2024-39887, extending the disallow list to cover query_to_xml_and_xmlschema, table_to_xml, and table_to_xml_and_xmlschema. The vulnerability affects all Apache Superset releases prior to version 4.1.0 and is tracked under [CWE-89].
Critical Impact
Authenticated attackers can leverage unfiltered PostgreSQL XML functions to bypass Apache Superset SQL authorization and access data outside their permitted scope.
Affected Products
- Apache Superset versions prior to 4.1.0
- Deployments using PostgreSQL as a backend database
- Apache Superset instances relying on the default DISALLOWED_SQL_FUNCTIONS configuration
Discovery Timeline
- 2024-12-09 - CVE-2024-53947 published to NVD
- 2025-07-15 - Last updated in NVD database
Technical Details for CVE-2024-53947
Vulnerability Analysis
Apache Superset enforces SQL authorization by maintaining a list of disallowed SQL functions that users cannot invoke within queries. The authorization layer inspects submitted SQL for blocked function names before sending it to the underlying database engine. PostgreSQL exposes several engine-specific functions that can read table contents and return them as XML, including query_to_xml_and_xmlschema, table_to_xml, and table_to_xml_and_xmlschema.
Because these functions were absent from Superset's DISALLOWED_SQL_FUNCTIONS configuration prior to version 4.1.0, an authenticated user could invoke them to read data from tables that the authorization layer would otherwise block. The vulnerability extends the prior fix in CVE-2024-39887, which addressed a similar bypass with a different set of functions. The EPSS score is approximately 0.4%, indicating low predicted exploitation probability.
Root Cause
The root cause is an incomplete denylist. Apache Superset's authorization logic relies on enumerating dangerous engine-specific functions, but the original list did not include PostgreSQL's XML export functions. Denylist-based controls are inherently fragile when the underlying database engine continues to expose alternative paths to the same data.
Attack Vector
An attacker requires an authenticated Superset account with permission to submit SQL queries against a PostgreSQL data source. The attacker crafts a query that invokes one of the missing functions, such as table_to_xml, against a target table. The function returns the table contents as XML, effectively bypassing per-table authorization checks enforced elsewhere in Superset.
No public proof-of-concept is listed, and the vulnerability is not in the CISA Known Exploited Vulnerabilities catalog. Verified code examples are not available; refer to the Apache Mailing List Thread for the project's technical disclosure.
Detection Methods for CVE-2024-53947
Indicators of Compromise
- SQL queries submitted through Superset containing the strings table_to_xml, table_to_xml_and_xmlschema, or query_to_xml_and_xmlschema.
- Unexpected XML-formatted result sets returned to user sessions in Superset query logs.
- Authenticated users querying tables outside their normal access patterns or business role.
Detection Strategies
- Inspect Superset query history and PostgreSQL pg_stat_statements for invocations of the three XML export functions.
- Correlate Superset user identity with the tables referenced inside XML function arguments to identify authorization bypass attempts.
- Alert on Superset versions below 4.1.0 detected through software inventory scans.
Monitoring Recommendations
- Forward Superset application logs and PostgreSQL audit logs to a centralized analytics platform for query-level review.
- Track query patterns per user to baseline normal SQL Lab activity and flag deviations.
- Monitor configuration drift on the DISALLOWED_SQL_FUNCTIONS setting to ensure the denylist remains in place after deployments.
How to Mitigate CVE-2024-53947
Immediate Actions Required
- Upgrade Apache Superset to version 4.1.0 or later, which ships with the corrected denylist.
- If upgrading is not immediately feasible, add query_to_xml_and_xmlschema, table_to_xml, and table_to_xml_and_xmlschema to the DISALLOWED_SQL_FUNCTIONS configuration.
- Audit existing Superset user roles and remove SQL Lab access from accounts that do not require it.
Patch Information
Apache released the fix in Apache Superset 4.1.0. The patch extends the built-in DISALLOWED_SQL_FUNCTIONS set to include the three PostgreSQL XML export functions. See the Apache Mailing List Thread for the project announcement.
Workarounds
- Override DISALLOWED_SQL_FUNCTIONS in superset_config.py to include the affected PostgreSQL functions until the upgrade is applied.
- Restrict the PostgreSQL role used by Superset so it cannot read tables outside the intended dataset scope.
- Disable SQL Lab for users who only require dashboard or chart access.
# Configuration example - superset_config.py
DISALLOWED_SQL_FUNCTIONS = {
'postgresql': {
'query_to_xml',
'query_to_xml_and_xmlschema',
'table_to_xml',
'table_to_xml_and_xmlschema',
'database_to_xml',
},
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
