[oss-security] CVE-2025-27018: Apache Airflow MySQL Provider: SQL injection in MySQL provider core function

Elad Kalif Wed, 19 Mar 2025 10:07:44 -0700

Severity: low

Affected versions:


- Apache Airflow MySQL Provider before 6.2.0

Description:

Improper Neutralization of Special Elements used in an SQL Command ('SQL 
Injection') vulnerability in Apache Airflow MySQL Provider.

When user triggered a DAG with dump_sql or load_sql functions they could pass a 
table parameter from a UI, that could cause SQL injection by running SQL that 
was not intended.
It could lead to data corruption, modification and others.
This issue affects Apache Airflow MySQL Provider: before 6.2.0.

Users are recommended to upgrade to version 6.2.0, which fixes the issue.

Credit:

Vincent55 (DEVCORE Internship Program) (finder)

References:

https://github.com/apache/airflow/pull/47254
https://github.com/apache/airflow/pull/47255
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-27018

[oss-security] CVE-2025-27018: Apache Airflow MySQL Provider: SQL injection in MySQL provider core function

Reply via email to