Platform
python
Component
apache-airflow
Fixed in
3.2.0
3.2.0
CVE-2025-57735 is a critical vulnerability in Apache Airflow versions 3.2.0rc2 and earlier. This flaw allows an attacker who intercepts a user's JWT token to potentially reuse it even after the user has logged out. Airflow 3.2 introduced token invalidation at logout, addressing this issue, and users are strongly advised to upgrade.
The primary impact of CVE-2025-57735 is unauthorized access to Airflow resources. If an attacker intercepts a valid JWT token, they can impersonate the user associated with that token, even after the user has logged out. This could allow them to trigger DAG runs, modify configurations, access sensitive data stored within Airflow, or potentially gain broader access to the underlying infrastructure depending on Airflow's integration with other systems. The severity is heightened by the ease with which JWT tokens can be intercepted in certain network conditions, such as insecure Wi-Fi networks or man-in-the-middle attacks.
This vulnerability was publicly disclosed on 2026-04-09. There is no indication of active exploitation at this time, and it is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not widely available, but the potential for exploitation is considered high given the relatively simple nature of JWT token interception and the critical severity of the vulnerability.
Exploit Status
EPSS
0.01% (2% percentile)
CVSS Vector
The recommended mitigation for CVE-2025-57735 is to upgrade to Apache Airflow version 3.2.0 or later, which includes the necessary token invalidation mechanism at logout. If upgrading immediately is not feasible, consider implementing network segmentation to limit the potential blast radius of a compromised token. Additionally, enforce strong password policies and multi-factor authentication to reduce the likelihood of initial account compromise. Review and restrict Airflow user permissions to minimize potential damage from unauthorized actions. After upgrade, confirm token invalidation by logging out and attempting to reuse the previously valid token – it should be rejected.
Upgrade to version 3.2.0 or higher of Apache Airflow to correctly invalidate JWT tokens upon logout, thus preventing potential unauthorized use of intercepted tokens.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-57735 is a critical vulnerability in Apache Airflow versions 3.2.0rc2 and earlier where intercepted JWT tokens can be reused after logout, potentially granting unauthorized access.
Yes, if you are running Apache Airflow versions 3.2.0rc2 or earlier, you are affected by this vulnerability.
Upgrade to Apache Airflow version 3.2.0 or later to invalidate tokens at logout and mitigate the risk.
There is currently no indication of active exploitation, but the vulnerability's severity warrants immediate attention and patching.
Refer to the Apache Airflow security advisories on the Apache project website for the latest information and updates regarding CVE-2025-57735.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.