Remote Code Execution Vulnerability in Apache Airflow Provider by Edge3
CVE-2025-67895

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Airflow Providers Edge3
Vendor: CVE Published:; 17 December 2025

What is CVE-2025-67895?

A vulnerability in the Edge3 provider for Apache Airflow allows for Remote Code Execution (RCE) in the webserver context if installed on Airflow 2. This issue arises because the Edge3 provider has been in a development state and exposed non-public APIs initially meant for testing purposes. As a result, unauthorized actions can be executed by Dag authors, leading to potential security breaches. Users who have configured this provider are advised to uninstall it and upgrade to Airflow 3, where the risk has been mitigated by removing the vulnerable code. It is essential to ensure that the new Edge3 provider versions (2.0.0 and above) are used with Airflow 3 to eliminate such vulnerabilities.

Affected Version(s)

Apache Airflow Providers Edge3 0 < 2.0.0

References

https://github.com/apache/airflow/pull/59143

patch

https://lists.apache.org/thread/hhnmmzkj5qx5gbk6pdkh8tcsx...

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 17, 2025
Vulnerability Reserved
Dec 13, 2025

Credit

Lee

JSON