SQL Injection Vulnerability in Apache Airflow MySQL Provider
CVE-2025-27018

6.3MEDIUM

Key Information:

Vendor

Apache
Status
Apache Airflow Mysql Provider
Vendor
CVE Published:
19 March 2025

What is CVE-2025-27018?

A security flaw in the Apache Airflow MySQL Provider allows for SQL injection when users trigger a Directed Acyclic Graph (DAG) using the dump_sql or load_sql functions. By passing an unvalidated table parameter from the user interface, an attacker could execute unintended SQL commands, potentially leading to data corruption or modification. To mitigate this risk, users are advised to upgrade to version 6.2.0 or later, which addresses and resolves this vulnerability.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Apache Airflow MySQL Provider 0 < 6.2.0

References

https://github.com/apache/airflow/pull/47254
patch
https://github.com/apache/airflow/pull/47255
patch
https://lists.apache.org/thread/m8ohgkwz4mq9njohf66sjwqjd...
vendor-advisory

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Vincent55 (DEVCORE Internship Program)
JSON
.