CVE-2025-5874
BaseFortify
Publication date: 2025-06-09
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-264 | Permissions, Privileges, and Access Controls |
| CWE-265 |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-5874 is a sandbox escape vulnerability in Redash, an open-source data visualization and querying platform. Redash uses RestrictedPython to sandbox Python queries, relying on a set of safe built-in functions. However, this vulnerability arises because Redash insecurely restores the original Python built-in function 'getattr' instead of using the safer version 'safer_getattr' provided by RestrictedPython. This improper restoration allows attackers to bypass sandbox restrictions and execute arbitrary code without importing additional modules. Specifically, the flaw is in the 'run_query' function in the 'query_runner/python.py' file, where 'getattr' is assigned insecurely, enabling unrestricted access to object attributes and breaking sandbox isolation. [1, 3]
How can this vulnerability impact me? :
This vulnerability allows attackers to escape the sandbox environment in Redash and execute arbitrary system commands remotely without requiring local access or additional module imports. This can lead to unauthorized code execution, compromising the confidentiality, integrity, and availability of the affected system. Attackers can run arbitrary commands, potentially leading to data breaches, system manipulation, or disruption of services. The exploit is publicly available and easy to use, increasing the risk of exploitation. No known patches or mitigations exist as of the advisory date, and the vendor has not responded to the disclosure. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your Redash installation is running a vulnerable version (up to 10.1.0/25.1.0) and if the insecure getattr function is in use. Since the exploit involves running Python queries that escape the sandbox, monitoring for unusual query executions or suspicious Python code that attempts to access system commands (e.g., usage of getattr to access __subclasses__ and Popen) can help detect exploitation attempts. Specific commands to detect exploitation attempts could include monitoring Redash query logs for suspicious payloads similar to the proof-of-concept code shown in Resource 3. Additionally, network monitoring for unexpected outbound connections (e.g., curl commands to attacker-controlled servers) initiated by Redash processes may indicate exploitation. However, no direct detection commands are provided in the resources. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Avoid using vulnerable Redash versions (up to 10.1.0/25.1.0) and consider replacing the affected component with an alternative product, as no patches or vendor mitigations are currently available. 2) Apply the secure versions of the getattr function provided by RestrictedPython instead of restoring the original built-in getattr, ensuring the sandbox is properly enforced. 3) Employ runtime hardening measures such as running Python queries inside isolated containers and applying Linux sandboxing techniques like AppArmor or seccomp to restrict process capabilities. 4) Monitor for suspicious activity and restrict network access from Redash servers to limit potential damage from exploitation. [2, 3]