Hello everyone, As you might know, Airflow 2 has a long-time issue with not being able to upgrade Werkzeug dependency to a non-vulnerable version and that raises a lot of alarms for users who run CVE checks on Airflow.
We've been waiting for a long time for that - but it looks like there is a light in a tunnel. We have two options that we can attempt: 1) Connexion 2.15.0.rc1 2) Releasing a package that will patch Werkzeug 2.2.3 with backported CVE fixes Recently Google team attempted to back-port and test fixes to older version of Werkzeug and I helped to get through to the maintainers - https://github.com/pallets/werkzeug/discussions/3034 - however they are not really willing to make that into regular release - reasoning explained in the discussion. However, after many months of discussions and at least 3 attempts to bump dependencies for Connexion - we seem to have an RC candidate (2.15.0rc1 https://pypi.org/project/connexion/2.15.0rc1/) that lifts the limit for Werkzeug (released 4 days ago). There were some breaking changes in Werkzeug that made it so long and difficult but I think we should be able to release a 2.11.1 version of Airflow with it I made first attempt to migrate - here: https://github.com/apache/airflow/pull/51681 and while I was able to work out non-conflicting dependencies and bump Werkzeug, there are some things to be fixed with session handling and there is still one outstanding problem - FAB requires Flask < 3 and currently Connexion 2.0.15rc1 requires flask >= 3 - which FAB (even upcoming FAB 5) does not support. And likely migrating to Flask 3 is **not** an option for us anyway. I started discussion here with those who worked on the Connexion patch for Werkzeug to see if that is a "hard" limit..: https://github.com/spec-first/connexion/pull/1992#issuecomment-2969565640 Alternative option - patch package: We also have a "last-resort" approach that we are looking at with the Google team. We might want to release a "werkzeug-patch" package that will apply the CVE patches to Werkzeug 2.2.3 Option 1) is not clear yet if it is possible due to Flask 3 / Flask 2 - and it would only work for 2.11.1 - we need to make some fixes and change dependencies for Airflow to make it work. Option 2) Is hacky (I am talking to Werkzeug maintainers what do they think about it as we would likely need to have at least a comment in the CVE advisory that this package fixes it as well) . But it has the benefit that it will **just work** by installing the patch on basically all past Airflow versions Just wanted to let everyone know it happens and ask if you have any opinions on those. J.
