BIT-vault-2025-6037
cross-site scripting vulnerability in vault (Go)
What is BIT-vault-2025-6037 About?
Apache Airflow, in versions prior to 2.10.0, is vulnerable to a cross-site scripting (XSS) attack. This allows a malicious provider developer to execute arbitrary scripts in a user's browser, enabling session hijacking or data theft. Exploitation requires user interaction and a pre-installed malicious provider, making it moderately difficult.
Affected Software
Technical Details
The vulnerability is a reflected cross-site scripting (XSS) in Apache Airflow versions before 2.10.0. A malicious provider developer can embed malicious JavaScript code within the provider's documentation. When a user subsequently clicks on the link to this provider's documentation in the Airflow web interface, the malicious script is executed in the user's browser within the context of the Airflow domain. This requires two main conditions: first, the malicious provider must be installed on the Airflow web server, allowing its documentation to be served; second, a user with access to the Airflow UI must 'click the provider link' which renders the documentation and triggers the XSS payload. The executed script can then perform actions such as stealing session cookies, defacing the web page, or making requests on behalf of the user.
What is the Impact of BIT-vault-2025-6037?
Successful exploitation may allow attackers to execute arbitrary code in the victim's browser, leading to session hijacking, data theft, defacement of the web interface, or other actions performed with the victim's privileges within the Apache Airflow application.
What is the Exploitability of BIT-vault-2025-6037?
Exploitation requires specific preconditions: a malicious provider must be installed on the Airflow web server, and a user must then explicitly click on the malicious provider's documentation link within the Airflow user interface. This makes the complexity moderate, as it involves both server-side compromise (provider installation) and client-side user interaction. Authentication is required for a user to log into Airflow and access providers. Privileges for installing a provider are also required. This is an indirect remote attack; the malicious script is delivered via the web server and executed locally in the victim's browser. The primary risk factors are the ability to install untrusted providers and users clicking links without caution.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-vault-2025-6037?
Available Upgrade Options
- github.com/hashicorp/vault
- <1.20.1 → Upgrade to 1.20.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GO-2025-3836
- https://discuss.hashicorp.com/t/hcsec-2025-18-vault-certificate-auth-method-did-not-validate-common-name-for-non-ca-certificates/76037
- https://github.com/advisories/GHSA-6c5r-4wfc-3mcx
- https://github.com/hashicorp/vault
- https://discuss.hashicorp.com/t/hcsec-2025-18-vault-certificate-auth-method-did-not-validate-common-name-for-non-ca-certificates/76037
- https://nvd.nist.gov/vuln/detail/CVE-2025-6037
- https://osv.dev/vulnerability/GHSA-6c5r-4wfc-3mcx
What are Similar Vulnerabilities to BIT-vault-2025-6037?
Similar Vulnerabilities: CVE-2023-38035 , CVE-2022-29807 , CVE-2021-42036 , CVE-2020-13936 , CVE-2019-10098
