Plattform
python
Komponente
apache-airflow
Behoben in
3.2.0
3.2.0
CVE-2025-57735 addresses a critical vulnerability in Apache Airflow where JWT tokens were not invalidated upon user logout. This allows an attacker who intercepts a token to potentially reuse it, gaining unauthorized access to Airflow resources. The vulnerability affects versions 3.2.0rc2 and earlier, and is resolved in version 3.2.0.
Successful exploitation of this vulnerability allows an attacker to impersonate a legitimate user and execute tasks within the Airflow environment. This could lead to unauthorized data access, modification, or deletion. The attacker could trigger DAGs, access sensitive configuration information, and potentially compromise the entire Airflow cluster. The blast radius extends to all resources accessible by the impersonated user, potentially impacting downstream systems and data.
This vulnerability is considered critical due to the potential for unauthorized access and control over the Airflow environment. No public exploits have been reported, but the potential for exploitation is high. The vulnerability was published on 2026-04-09. Severity: CRITICAL (CVSS 9.1).
Organizations heavily reliant on Apache Airflow for data orchestration and workflow automation are particularly at risk. Environments with weak network security or where users frequently access Airflow from untrusted networks are also more vulnerable. Shared hosting environments where multiple users share an Airflow instance should be prioritized for patching.
• python / airflow: Check Airflow version using airflow version. If ≤3.2.0rc2, the system is vulnerable.
• python / airflow: Monitor Airflow logs for unusual activity or unauthorized DAG runs.
• generic web: If Airflow is exposed externally, monitor network traffic for suspicious JWT token activity using network intrusion detection systems (NIDS).
disclosure
Exploit-Status
EPSS
0.01% (2% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2025-57735 is to upgrade to Apache Airflow version 3.2.0 or later. If upgrading is not immediately feasible, consider implementing stricter token management policies, such as shortening token expiration times. Monitor Airflow logs for suspicious activity and implement intrusion detection systems to identify potential token reuse attempts. After upgrading, verify token invalidation at logout by logging out and attempting to reuse a previously obtained token.
Actualice a la versión 3.2.0 o superior de Apache Airflow para invalidar correctamente los tokens JWT al cerrar sesión, previniendo así el posible uso no autorizado de tokens interceptados.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-57735 is a critical vulnerability in Apache Airflow versions 3.2.0rc2 and earlier where intercepted JWT tokens can be reused after logout, potentially granting unauthorized access.
Yes, if you are running Apache Airflow versions 3.2.0rc2 or earlier, you are affected by this vulnerability.
Upgrade to Apache Airflow version 3.2.0 or later to invalidate tokens at logout and mitigate the risk.
There is currently no indication of active exploitation, but the vulnerability's severity warrants immediate attention and patching.
Refer to the Apache Airflow security advisories on the Apache project website for the latest information and updates regarding CVE-2025-57735.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.