CVE-2025-65995
Last modified
CVE-2025-65995 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG. The issue has been fixed in Airflow 3.1.4 and 2.11.1, and users are strongly advised to upgrade to prevent potential disclosure of sensitive information.. EPSS estimates a 0.80% chance of exploitation in the next 30 days.
Description
When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG. The issue has been fixed in Airflow 3.1.4 and 2.11.1, and users are strongly advised to upgrade to prevent potential disclosure of sensitive information.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Airflow | < 2.11.1 |
| Apache | Airflow | >= 3.0.0, < 3.1.4 |
References
- https://github.com/apache/airflow/pull/58252Issue Tracking, Patch
- https://github.com/apache/airflow/pull/61883Issue Tracking, Patch
- https://lists.apache.org/thread/1qzlrjo2wmlzs0rrgzgslj2pzkor0dr2Mailing List, Vendor Advisory
- http://www.openwall.com/lists/oss-security/2025/12/12/2Mailing List, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-65995?
How severe is CVE-2025-65995?
How do I fix CVE-2025-65995?
Are you affected by CVE-2025-65995?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST