Platform
python
Component
apache-airflow
Fixed in
2.9.3
2.9.3
CVE-2024-39877 is a remote code execution (RCE) vulnerability affecting Apache Airflow versions 2.4.0 and earlier, up to and including 2.9.3rc1. This vulnerability allows authenticated DAG authors to craft malicious doc_md parameters, leading to arbitrary code execution within the Airflow scheduler's context, bypassing security restrictions. Affected users should immediately upgrade to version 2.9.3 or later, which addresses this critical security flaw.
The impact of CVE-2024-39877 is severe. A successful exploit allows an attacker, posing as an authenticated DAG author, to execute arbitrary code on the Airflow scheduler. This grants the attacker complete control over the scheduler's processes, potentially leading to data breaches, system compromise, and disruption of Airflow workflows. The attacker could steal sensitive data processed by Airflow, modify DAGs to execute malicious tasks, or even pivot to other systems within the network if the scheduler has access to them. This vulnerability is particularly concerning given Airflow's common use in data pipelines handling sensitive information.
CVE-2024-39877 was publicly disclosed on July 17, 2024. While no active exploitation campaigns have been publicly confirmed as of this writing, the ease of exploitation and the potential impact make it a high-priority vulnerability. It is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge, increasing the risk of exploitation.
Exploit Status
EPSS
0.10% (27% percentile)
CVSS Vector
The primary mitigation for CVE-2024-39877 is to upgrade Apache Airflow to version 2.9.3 or later. This version includes a fix that prevents the malicious crafting of docmd parameters. If an immediate upgrade is not feasible, consider implementing stricter input validation on the docmd parameter to sanitize potentially harmful code. While not a complete solution, this can reduce the attack surface. Review and audit existing DAGs for any suspicious code or unusual parameter usage. After upgrading, verify the fix by attempting to create a DAG with a crafted doc_md parameter and confirming that it is properly sanitized and does not result in code execution.
Update Apache Airflow to version 2.9.3 or later. This version fixes the vulnerability that allows arbitrary code execution. The update can be performed via pip or the preferred installation method.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-39877 is a remote code execution vulnerability in Apache Airflow versions 2.4.0 and earlier, up to 2.9.3rc1. It allows authenticated DAG authors to execute arbitrary code on the scheduler.
You are affected if you are running Apache Airflow versions 2.4.0 through 2.9.3rc1. Upgrade to 2.9.3 or later to mitigate the risk.
The recommended fix is to upgrade Apache Airflow to version 2.9.3 or later. As a temporary workaround, implement stricter input validation on the doc_md parameter.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of future attacks.
Refer to the Apache Airflow security page for the latest information and advisory: https://airflow.apache.org/security
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.