CVE-2025-27018 — SQL Injection in Software Foundation Apache Airflow Mysql Provider

CWE-89 — SQL Injection5 documents5 sources

Severity

6.3MEDIUMNVD

EPSS

0.3%

top 43.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Mysql Provider Apache Apache-airflow-providers-mysql

Timeline

PublishedMar 19

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider. When user triggered a DAG with dump_sql or load_sql functions they could pass a table parameter from a UI, that could cause SQL injection by running SQL that was not intended. It could lead to data corruption, modification and others. This issue affects Apache Airflow MySQL Provider: before 6.2.0. Users are recommended to upgrade to version 6.2.0, which fixes the…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages3 packages

▶NVDapache/apache-airflow-providers-mysql< 6.2.0

▶PyPIapache/apache-airflow-providers-mysql< 6.2.0

▶CVEListV5apache_software_foundation/apache_airflow_mysql_provider< 6.2.0

🔴Vulnerability Details

OSV

Apache Airflow MySQL Provider is Vulnerable to SQL Injection↗2025-03-19

▶

CVEList

Apache Airflow MySQL Provider: SQL injection in MySQL provider core function↗2025-03-19

▶

GHSA

Apache Airflow MySQL Provider is Vulnerable to SQL Injection↗2025-03-19

▶

📋Vendor Advisories

Microsoft

netfilter: br_netfilter: skip conntrack input hook for promisc packets↗2024-05-14

▶