CVE-2023-42504: Apache Superset Allocation of Resources Without Limits or Throttling vulnerability

November 28, 2023 (updated February 13, 2025)

An authenticated malicious user could initiate multiple concurrent requests, each requesting multiple dashboard exports, leading to a possible denial of service.

This issue affects Apache Superset: before 3.0.0

References

github.com/advisories/GHSA-3hp7-4qq4-v5c6
github.com/apache/superset
lists.apache.org/thread/yzq5gk1y9lyw6nxwd3xdkxg1djqw1h6l
nvd.nist.gov/vuln/detail/CVE-2023-42504

Code Behaviors & Features

Detect and mitigate CVE-2023-42504 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →