oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-27018: Apache Airflow MySQL Provider: SQL injection in MySQL provider core function

From: Elad Kalif <eladkal () apache org>
Date: Wed, 19 Mar 2025 08:20:43 +0000
Severity: low

Affected versions:

- Apache Airflow MySQL Provider before 6.2.0

Description:

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow 
MySQL Provider.

When user triggered a DAG with dump_sql or load_sql functions they could pass a table parameter from a UI, that could 
cause SQL injection by running SQL that was not intended.
It could lead to data corruption, modification and others.
This issue affects Apache Airflow MySQL Provider: before 6.2.0.

Users are recommended to upgrade to version 6.2.0, which fixes the issue.

Credit:

Vincent55 (DEVCORE Internship Program) (finder)

References:

https://github.com/apache/airflow/pull/47254
https://github.com/apache/airflow/pull/47255
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-27018
Previous By Date Next
Previous By Thread Next

Current thread: