CVE-2025-67895
BaseFortify
Publication date: 2025-12-17
Last updated on: 2025-12-22
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | apache-airflow-providers-edge3 | to 2.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-669 | The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Edge3 provider for Apache Airflow 2, which was development-only and not officially released. If installed and configured, it enabled a non-public API that allowed a DAG author to perform Remote Code Execution (RCE) in the webserver context, which they should not have been able to do. This means an attacker with DAG author permissions could execute arbitrary code on the Airflow webserver.
How can this vulnerability impact me? :
If you installed and configured the Edge3 provider on Airflow 2, an attacker with DAG author permissions could exploit this vulnerability to execute arbitrary code remotely on the Airflow webserver. This could lead to unauthorized control over the server, data compromise, or further attacks within your environment. Users of Airflow 3 or Edge3 provider versions 2.0.0 and above are not affected.
What immediate steps should I take to mitigate this vulnerability?
If you have installed and configured the Edge3 provider on Airflow 2, you should immediately uninstall the Edge3 provider and migrate to Airflow 3. The Edge3 provider versions 2.0.0 and above require Airflow 3 and have removed the vulnerable code that allowed Remote Code Execution in Airflow 2. If you are using Edge3 provider on Airflow 3, you are not affected. [2]