CVE-2025-30473
Severity CVSS v4.0:
Pending analysis
Type:
CWE-89
SQL Injection
Publication date:
07/04/2025
Last modified:
11/04/2025
Description
Improper Neutralization of Special Elements used in an SQL Command (&#39;SQL Injection&#39;) vulnerability in Apache Airflow Common SQL Provider.<br />
<br />
When using the partition clause in SQLTableCheckOperator as parameter (which was a recommended pattern), Authenticated UI User could inject arbitrary SQL command when triggering DAG exposing partition_clause to the user.<br />
This allowed the DAG Triggering user to escalate privileges to execute those arbitrary commands which they normally would not have.<br />
<br />
<br />
This issue affects Apache Airflow Common SQL Provider: before 1.24.1.<br />
<br />
Users are recommended to upgrade to version 1.24.1, which fixes the issue.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:apache:airflow_common_sql_provider:*:*:*:*:*:*:*:* | 1.24.1 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/apache/airflow/pull/48098
- https://lists.apache.org/thread/53klkv790cylqcop0350w7nfq1y6h0t2
- http://www.openwall.com/lists/oss-security/2025/04/04/2
- http://www.openwall.com/lists/oss-security/2025/04/06/1
- http://www.openwall.com/lists/oss-security/2025/04/06/2
- http://www.openwall.com/lists/oss-security/2025/04/06/3