Thanks for the report but this is not the right way of sending security reports.
Look at our https://github.com/apache/airflow/security/policy on kinds of reports and how they should be reported. Sending such a report to (public) devlist increases noise and distracts maintainers and (if the report is valid) is really a non-responsible reporting. Security researchers and reporters should always follow "responsible disclosure" patterns and should always get familiar with the security policy that the projects they are reporting it publishes. Also in this case there are multiple things that are wrong with such report: 1) we do not accept reports that "some" vulnerability in "some" of our dependencies in "some" version of "some" of the packages we released are vulnerable - unless there is a POC of how this 3rd-party vulnerability can be exploited 2) the backport package you mentioned is a package that was only released and working for Airflow 1 which is EOL for more than 4 years already - see our README file ( June 17, 2021 is the exact EOL time for Airflow 1.10). Please treat it as a learning exercise and make sure to read the policies and information about the vulnerabilities you report and avoid creating unnecessary distraction for maintainers and more importantly - to avoid accidental "irresponsible" disclosure. J. On Sat, Sep 6, 2025 at 3:38 PM Jarek Potiuk <ja...@potiuk.com> wrote: > Thanks for the report but this is not the right way of sending security > reports. > > Look at our https://github.com/apache/airflow/security/policy on kinds > of reports and how they should be reported. Sending such a report to > (public) devlist increases noise and distracts maintainers and (if the > report is valid) is really a non-responsible reporting. Security > researchers and reporters should always follow "responsible disclosure" > patterns and should always get familiar with the security policy that the > projects they are reporting it publishes. > > Also in this case there are multiple things that are wrong with such > report: > > 1) we do not accept reports that "some" vulnerability in "some" of our > dependencies in "some" version of "some" of the packages we released are > vulnerable - unless there is a POC of how this 3rd-party vulnerability can > be exploited > 2) the backport package you mentioned is a package that was only released > and working for Airflow 1 which is EOL for more than 4 years already - see > our README file ( June 17, 2021 is the exact EOL time for Airflow 1.10). > > Please treat it as a learning exercise and make sure to read the policies > and information about the vulnerabilities you report and avoid creating > unnecessary distraction for maintainers and more importantly - to avoid > accidental "unresponsive" disclosure. > > J. > > > On Sat, Sep 6, 2025 at 3:30 PM Sunha Park <sun...@korea.ac.kr> wrote: > >> Hello Apache Airflow team, >> I am a graduate student researching software security. >> While analyzing PyPI packages, I found that your package >> apache-airflow-backport-providers-mongo reuses code from >> pache-airflow-providers-mongo-1.0.0. >> >> Package alerta-server has a known vulnerability CVE-2024-25141. >> Reference: https://osv.dev/vulnerability/CVE-2024-25141 >> >> It seems that the vulnerable code has not been patched in >> apache-airflow-backport-providers-mongo. I recommend checking the commit >> history of apache-airflow-providers-mongo-1.0.0 where the issue was fixed >> and applying the same patch to your package. >> >> Best regards, >> >> Sunha Park >> Korea University >> Dept. of Computer Science and Engineering / M.S student >> >> LAB https://ssp.korea.ac.kr >> Email sun...@korea.ac.kr >> >>
