CVE-2025-65995Information Exposure via Error Message in Software Foundation Apache Airflow

CWE-209Information Exposure via Error Message5 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
0.0%
top 96.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache AirflowApache Airflow
Timeline
PublishedFeb 21

Description

When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG. The issue has been fixed in Airflow 3.1.4 and 2.11.1, and users are strongly advised to upgrade to prevent potential disclosure of sensitive information.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDapache/airflow3.0.03.1.4+1
CVEListV5apache_software_foundation/apache_airflow3.0.03.1.4+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
Apache Airflow error reporting may expose full kwargs2026-02-21
CVEList
Apache Airflow: Disclosure of secrets to UI via kwargs2026-02-21
GHSA
Apache Airflow error reporting may expose full kwargs2026-02-21

🕵️Threat Intelligence

1
Wiz
CVE-2025-65995 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-65995 — Information Exposure via Error Message | cvebase