CVE-2025-68675

CWE-532Log File Information Exposure5 documents5 sources
Severity
7.5HIGH
EPSS
0.0%
top 91.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache AirflowApache Airflow
Timeline
PublishedJan 16

Description

In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed. Users are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDapache/airflow< 3.1.6
PyPIapache-airflow3.0.0b13.1.6+1
CVEListV5apache_software_foundation/apache_airflow3.0.03.1.6+1

🔴Vulnerability Details

3
CVEList
Apache Airflow: proxy credentials for various providers might leak in task logs2026-01-16
GHSA
Apache Airflow proxy credentials for various providers might leak in task logs2026-01-16
OSV
Apache Airflow proxy credentials for various providers might leak in task logs2026-01-16

🕵️Threat Intelligence

1
Wiz
CVE-2025-68675 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-68675 (HIGH CVSS 7.5) | In Apache Airflow versions before 3 | cvebase.io