CVE-2025-27018
published 2025-03-19CVE-2025-27018: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider. When user triggered a DAG…
medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider.
When user triggered a DAG with dump_sql or load_sql functions they could pass a table parameter from a UI, that could cause SQL injection by running SQL that was not intended.
It could lead to data corruption, modification and others.
This issue affects Apache Airflow MySQL Provider: before 6.2.0.
Users are recommended to upgrade to version 6.2.0, which fixes the issue.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | airflow | >= 3.0.0 < 3.2.2 | 3.2.2 |
| apache | apache-airflow-providers-mysql | < 6.2.0 | 6.2.0 |
| apache | apache-airflow-providers-mysql | >= 0 < 6.2.0 | 6.2.0 |
| apache_software_foundation | apache_airflow | >= 3.0.0 < 3.2.2 | 3.2.2 |
| msrc | azl3_hyperv-daemons_6.6.22.1-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_hyperv-daemons_6.6.35.1-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_kernel_6.6.22.1-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_kernel_6.6.35.1-5_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_hyperv-daemons_5.15.158.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_hyperv-daemons_5.15.180.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kernel_5.15.153.1-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kernel_5.15.158.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |