プラットフォーム
python
コンポーネント
apache-airflow
修正版
3.2.0
3.2.0
CVE-2025-57735 is a critical vulnerability in Apache Airflow versions 3.2.0rc2 and earlier. This flaw allows an attacker who intercepts a user's JWT token to potentially reuse it even after the user has logged out. Airflow 3.2 introduced token invalidation at logout, addressing this issue, and users are strongly advised to upgrade.
The primary impact of CVE-2025-57735 is unauthorized access to Airflow resources. If an attacker intercepts a valid JWT token, they can impersonate the user associated with that token, even after the user has logged out. This could allow them to trigger DAG runs, modify configurations, access sensitive data stored within Airflow, or potentially gain broader access to the underlying infrastructure depending on Airflow's integration with other systems. The severity is heightened by the ease with which JWT tokens can be intercepted in certain network conditions, such as insecure Wi-Fi networks or man-in-the-middle attacks.
This vulnerability was publicly disclosed on 2026-04-09. There is no indication of active exploitation at this time, and it is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not widely available, but the potential for exploitation is considered high given the relatively simple nature of JWT token interception and the critical severity of the vulnerability.
Organizations heavily reliant on Apache Airflow for data orchestration and workflow automation are particularly at risk. Environments with weak network security or where users frequently access Airflow from untrusted networks are also more vulnerable. Shared hosting environments where multiple users share an Airflow instance should be prioritized for patching.
• python / airflow: Check Airflow version using airflow version. If ≤3.2.0rc2, the system is vulnerable.
• python / airflow: Monitor Airflow logs for unusual activity or unauthorized DAG runs.
• generic web: If Airflow is exposed externally, monitor network traffic for suspicious JWT token activity using network intrusion detection systems (NIDS).
disclosure
エクスプロイト状況
EPSS
0.01% (2% パーセンタイル)
CVSS ベクトル
The recommended mitigation for CVE-2025-57735 is to upgrade to Apache Airflow version 3.2.0 or later, which includes the necessary token invalidation mechanism at logout. If upgrading immediately is not feasible, consider implementing network segmentation to limit the potential blast radius of a compromised token. Additionally, enforce strong password policies and multi-factor authentication to reduce the likelihood of initial account compromise. Review and restrict Airflow user permissions to minimize potential damage from unauthorized actions. After upgrade, confirm token invalidation by logging out and attempting to reuse the previously valid token – it should be rejected.
Actualice a la versión 3.2.0 o superior de Apache Airflow para invalidar correctamente los tokens JWT al cerrar sesión, previniendo así el posible uso no autorizado de tokens interceptados.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-57735 is a critical vulnerability in Apache Airflow versions 3.2.0rc2 and earlier where intercepted JWT tokens can be reused after logout, potentially granting unauthorized access.
Yes, if you are running Apache Airflow versions 3.2.0rc2 or earlier, you are affected by this vulnerability.
Upgrade to Apache Airflow version 3.2.0 or later to invalidate tokens at logout and mitigate the risk.
There is currently no indication of active exploitation, but the vulnerability's severity warrants immediate attention and patching.
Refer to the Apache Airflow security advisories on the Apache project website for the latest information and updates regarding CVE-2025-57735.
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。