PT-2025-51039 · Apache · Airflow
Frieder Gottman
+1
·
Published
2025-12-12
·
Updated
2026-02-24
·
CVE-2025-65995
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Airflow versions prior to 3.1.4
Airflow versions prior to 2.11.1
Description
A flaw exists in Airflow where the user interface (UI) error reporting could expose sensitive information passed as keyword arguments (
kwargs) to operators when a Directed Acyclic Graph (DAG) failed during parsing. This exposure was limited to authenticated users with permission to view the affected DAG. The issue could lead to the disclosure of secrets or other sensitive values included within the kwargs.Recommendations
Upgrade to Airflow version 3.1.4 or later.
Upgrade to Airflow version 2.11.1 or later.
Fix
Generation of Error Message Containing Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Airflow