BIT-airflow-2025-65995
Information Disclosure vulnerability in apache-airflow (PyPI)
What is BIT-airflow-2025-65995 About?
This vulnerability in Apache Airflow can expose sensitive values, such as secrets, within UI tracebacks when a Directed Acyclic Graph (DAG) fails during parsing. Authenticated users with viewing permissions for that DAG can access these sensitive kwargs, leading to information disclosure. The exploitation is passive, as it relies on a DAG failure and authorized viewing access.
Affected Software
- apache-airflow
- <2.11.1
- >=3.0.0b1, <3.1.5rc1
Technical Details
The vulnerability arises during the error-reporting mechanism in Apache Airflow's UI. When a DAG encounters a parsing failure, the system's traceback generation inadvertently includes the full keyword arguments (kwargs) passed to the operators. If these kwargs contain sensitive data, such as API keys, database credentials, or other secrets, they are then displayed unredacted in the UI's error reports. Authenticated users with permissions to view the failed DAG can then access this sensitive information. The flaw is in the logging or display logic, which fails to properly sanitize or redact sensitive parameters within error traces, effectively leading to information disclosure.
What is the Impact of BIT-airflow-2025-65995?
Successful exploitation may allow attackers to view sensitive information and credentials, leading to further attacks or unauthorized access.
What is the Exploitability of BIT-airflow-2025-65995?
Exploitation of this vulnerability is passive and relies on specific conditions. An authenticated user with permission to view a specific DAG is required. The primary prerequisite is that a DAG must fail during its parsing phase, causing the sensitive kwargs to be included in the error traceback visible in the Airflow UI. There are no direct interaction or complex attack steps for an attacker beyond accessing the UI with appropriate permissions after a DAG failure. This is a local-to-the-application vulnerability, meaning a user must be authenticated to Airflow. The risk increases in environments where sensitive data is commonly passed via kwargs and where DAG failures are frequent or where multiple users have DAG viewing permissions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-airflow-2025-65995?
Available Upgrade Options
- apache-airflow
- <2.11.1 → Upgrade to 2.11.1
- apache-airflow
- >=3.0.0b1, <3.1.5rc1 → Upgrade to 3.1.5rc1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.openwall.com/lists/oss-security/2025/12/12/2
- https://github.com/apache/airflow/pull/58252
- https://github.com/apache/airflow/pull/61883
- http://www.openwall.com/lists/oss-security/2025/12/12/2
- https://github.com/apache/airflow
- https://lists.apache.org/thread/1qzlrjo2wmlzs0rrgzgslj2pzkor0dr2
- https://github.com/apache/airflow/pull/58252
- https://lists.apache.org/thread/1qzlrjo2wmlzs0rrgzgslj2pzkor0dr2
- https://nvd.nist.gov/vuln/detail/CVE-2025-65995
- https://osv.dev/vulnerability/GHSA-gfw7-2v73-69wg
What are Similar Vulnerabilities to BIT-airflow-2025-65995?
Similar Vulnerabilities: CVE-2024-50378 , CVE-2023-45582 , CVE-2022-26135 , CVE-2021-36774 , CVE-2020-11985
