SQL Injection Vulnerability in Apache Airflow MySQL Provider
CVE-2025-27018

6.3MEDIUM

Key Information:

Vendor
Apache
Status
Apache Airflow Mysql Provider
Vendor
CVE Published:
19 March 2025

Summary

A security flaw in the Apache Airflow MySQL Provider allows for SQL injection when users trigger a Directed Acyclic Graph (DAG) using the dump_sql or load_sql functions. By passing an unvalidated table parameter from the user interface, an attacker could execute unintended SQL commands, potentially leading to data corruption or modification. To mitigate this risk, users are advised to upgrade to version 6.2.0 or later, which addresses and resolves this vulnerability.

Affected Version(s)

Apache Airflow MySQL Provider 0 < 6.2.0

References

https://github.com/apache/airflow/pull/47254
patch
https://github.com/apache/airflow/pull/47255
patch
https://lists.apache.org/thread/m8ohgkwz4mq9njohf66sjwqjd...
vendor-advisory

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Vincent55 (DEVCORE Internship Program)
.