CVE-2025-65995
Information Disclosure in Apache Airflow UI via DAG Parsing Error
Publication date: 2026-02-21
Last updated on: 2026-02-25
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | airflow | to 2.11.1 (exc) |
| apache | airflow | From 3.0.0 (inc) to 3.1.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-209 | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-65995 is a vulnerability in Apache Airflow where, if a Directed Acyclic Graph (DAG) fails during parsing, the error-reporting in the Airflow UI could display the full keyword arguments (kwargs) passed to operators.
If these kwargs contain sensitive information such as secrets or credentials, they might be exposed in the UI tracebacks to authenticated users who have permission to view that DAG.
The issue was caused by improper redaction or masking of illegal or sensitive kwargs in error messages, allowing sensitive data to be leaked during DAG execution failures.
This vulnerability has been fixed by improving the sanitization and masking of these kwargs in Airflow versions 3.1.4 and 2.11.1.
How can this vulnerability impact me? :
This vulnerability can lead to the unintended disclosure of sensitive information such as secrets or credentials contained in the kwargs passed to Airflow operators.
Authenticated users with permission to view the affected DAG could see these sensitive values in the UI error tracebacks when a DAG fails during parsing.
Such exposure increases the risk of sensitive data leakage within an organization, potentially leading to unauthorized access or misuse of confidential information.
Upgrading to Airflow versions 3.1.4 or 2.11.1 is strongly advised to prevent this potential disclosure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests when a DAG fails during parsing in Apache Airflow, causing the UI error-reporting to display full keyword arguments (kwargs) passed to operators, potentially exposing sensitive information.
To detect this vulnerability on your system, you can check if your Airflow installation is a version prior to 2.11.1 or 3.1.4, as these versions contain the fix.
You can also monitor Airflow UI error tracebacks for exposure of sensitive kwargs when DAG parsing fails.
There are no specific commands provided in the available resources to detect the vulnerability directly on the network or system.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade Apache Airflow to version 3.1.4 or 2.11.1 or later, where the vulnerability has been fixed.
This upgrade ensures that sensitive keyword arguments (kwargs) passed to operators are properly redacted in error messages and UI tracebacks, preventing exposure of secrets.
Until the upgrade can be applied, restrict access to the Airflow UI to only trusted and authenticated users with necessary permissions to minimize the risk of sensitive data exposure.