oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-50213: Apache Airflow Providers Snowflake: Potential SQL injection in CopyFromExternalStageToSnowflakeOperator

From: Elad Kalif <eladkal () apache org>
Date: Tue, 24 Jun 2025 05:41:04 +0000
Severity: low 

Affected versions:

- Apache Airflow Providers Snowflake (apache-airflow-providers-snowflake) before 6.4.0

Description:

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) vulnerability in Apache Airflow 
Providers Snowflake.

This issue affects Apache Airflow Providers Snowflake: before 6.4.0.

Sanitation of table and stage parameters were added in CopyFromExternalStageToSnowflakeOperator to prevent SQL injection
Users are recommended to upgrade to version 6.4.0, which fixes the issue.

Credit:

Nhien Pham (@nhienit) at Galaxy One (finder)

References:

https://github.com/apache/airflow/pull/51734
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-50213
Previous By Date Next
Previous By Thread Next

Current thread: