SQL Injection Vulnerability in Apache Airflow Common SQL Provider
CVE-2025-30473

8.8HIGH

Key Information:

Vendor

Apache
Status
Apache Airflow Common Sql Provider
Vendor
CVE Published:
7 April 2025

Badges

đź“° News Worthy

What is CVE-2025-30473?

An improper neutralization of special elements used in SQL commands allows authenticated users of Apache Airflow Common SQL Provider to exploit the system. By leveraging the partition clause in SQLTableCheckOperator, an attacker can inject arbitrary SQL commands when triggering directed acyclic graphs (DAGs). This grants the user unauthorized privileges to execute commands they typically wouldn't be allowed to, presenting a significant security risk. Users are advised to upgrade to version 1.24.1 to mitigate this vulnerability.

Affected Version(s)

Apache Airflow Common SQL Provider 0 < 1.24.1

News Articles

favicon imageSeclists.org

Open Source Security Mailing List

SecLists.org archive for the Open Source Security mailing list: Discussion of security flaws, concepts, and practices in the Open Source community

References

https://github.com/apache/airflow/pull/48098
patch
https://lists.apache.org/thread/53klkv790cylqcop0350w7nfq...
vendor-advisory

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • đź“°

    First article discovered by Seclists.org

  • Vulnerability published

  • Vulnerability Reserved

Credit

nxczje
.
CVE-2025-30473 : SQL Injection Vulnerability in Apache Airflow Common SQL Provider