PT-2025-51824 · Unknown+1 · Apache Airflow+1
Jarek Potiuk
+1
·
Published
2025-12-17
·
Updated
2025-12-26
·
CVE-2025-67895
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Apache Airflow Providers Edge3 versions prior to 2.0.0
Description
The Edge3 provider for Apache Airflow 2 contains an issue that allows a Dag author to perform Remote Code Execution (RCE) in the webserver context through a non-public API. This API was intended for testing the Edge Provider during development and was implicitly enabled when the Edge3 provider was installed and configured on Airflow 2. The Edge3 provider support in Airflow 2 was development-only and not officially released. The issue is present only if the Edge3 provider was installed and configured on Airflow 2.
Recommendations
If you installed and configured the Edge3 provider for Airflow 2, uninstall it and migrate to Airflow 3.
If you used the Edge Provider in Airflow 3, you are not affected.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Airflow
Edge3