CVE-2025-30473: Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection

Elad Kalif Fri, 04 Apr 2025 11:54:28 -0700

Severity: low

Affected versions:


- Apache Airflow Common SQL Provider before 1.24.1

Description:

Improper Neutralization of Special Elements used in an SQL Command ('SQL 
Injection') vulnerability in Apache Airflow Common SQL Provider.

When using the partition clause in SQLTableCheckOperator as parameter (which 
was a recommended pattern), Authenticated UI User could inject arbitrary SQL 
command when triggering DAG exposing partition_clause to the user.
This allowed the DAG Triggering user to escalate privileges to execute those 
arbitrary commands which they normally would not have.


This issue affects Apache Airflow Common SQL Provider: before 1.24.1.

Users are recommended to upgrade to version 1.24.1, which fixes the issue.

Credit:

nxczje (reporter)

References:

https://github.com/apache/airflow/pull/48098
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-30473


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@airflow.apache.org
For additional commands, e-mail: users-h...@airflow.apache.org

CVE-2025-30473: Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection

Reply via email to