CVE-2025-57735

CWE-613 — Insufficient Session Expiration4 documents4 sources

Severity

9.1CRITICAL

EPSS

0.0%

top 98.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow

Timeline

PublishedApr 9

Description

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+ Users are recommended to upgrade to version 3.2.0, which fixes this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

▶PyPIapache-airflow3.0.0 — 3.2.0

▶CVEListV5apache_software_foundation/apache_airflow3.0.0 — 3.2.0

🔴Vulnerability Details

GHSA

GHSA-c92r-g8j5-vhcx: When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was inter↗2026-04-09

▶

GHSA

Apache Airflow: JWT token still valid after logout↗2026-04-09

▶

CVEList

Apache Airflow: Airflow Logout Not Invalidating JWT↗2026-04-09

▶