Sandbox Vulnerability in Redash Affected Versions
CVE-2025-5874

5.1MEDIUM

Key Information:

Vendor

Redash

Status
Redash
Vendor
CVE Published:
9 June 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-5874?

A vulnerability affecting Redash allows for improper handling of sandboxed environments in the run_query function located in the /query_runner/python.py file. This manipulation could potentially allow for the execution of unauthorized commands within a sandboxed context, exposing user data to exploitation. Despite early notifications to the vendor regarding the potential risk, there has been no response or resolution. Users of Redash versions to 10.1.0 and 25.1.0 are particularly encouraged to assess their exposure and take appropriate security measures.

Affected Version(s)

Redash 10.0

Redash 10.1.0

Redash 25.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-5874 - Proof of Concept

References

https://vuldb.com/?id.311633
vdb-entrytechnical-description
https://vuldb.com/?ctiid.311633
signaturepermissions-required
https://vuldb.com/?submit.580255
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jiacheng Zhong
Zhengyu Liu
Gavin Zhong (VulDB User)
Gavin Zhong (VulDB User)
.
CVE-2025-5874 : Sandbox Vulnerability in Redash Affected Versions