CVE-2025-27018

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-27018
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider. When user triggered a DAG with dump_sql or load_sql functions they could pass a table parameter from a UI, that could cause SQL injection by running SQL that was not intended. It could lead to data corruption, modification and others. This issue affects Apache Airflow MySQL Provider: before 6.2.0. Users are recommended to upgrade to version 6.2.0, which fixes the issue.

6.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://github.com/apache/airflow/pull/47254 Issue Tracking
https://github.com/apache/airflow/pull/47255 Issue Tracking
https://lists.apache.org/thread/m8ohgkwz4mq9njohf66sjwqjdy28gvzf Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/03/19/4 Mailing List
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:apache-airflow-providers-mysql:*:*:*:*:*:*:*:*
History

03 Jun 2025, 21:11

Type Values Removed Values Added
First Time Apache
Apache apache-airflow-providers-mysql
CPE cpe:2.3:a:apache:apache-airflow-providers-mysql:*:*:*:*:*:*:*:*
References () https://github.com/apache/airflow/pull/47254 - () https://github.com/apache/airflow/pull/47254 - Issue Tracking
References () https://github.com/apache/airflow/pull/47255 - () https://github.com/apache/airflow/pull/47255 - Issue Tracking
References () https://lists.apache.org/thread/m8ohgkwz4mq9njohf66sjwqjdy28gvzf - () https://lists.apache.org/thread/m8ohgkwz4mq9njohf66sjwqjdy28gvzf - Mailing List, Vendor Advisory
References () http://www.openwall.com/lists/oss-security/2025/03/19/4 - () http://www.openwall.com/lists/oss-security/2025/03/19/4 - Mailing List

25 Mar 2025, 18:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.3

19 Mar 2025, 19:15

Type Values Removed Values Added
Summary
  • (es) Vulnerabilidad de neutralización incorrecta de elementos especiales utilizados en una instrucción SQL ('Inyección SQL') en Apache Airflow MySQL Provider. Al activar un DAG con las funciones dump_sql o load_sql, el usuario podía pasar un parámetro de tabla desde una interfaz de usuario, lo que podía causar una inyección SQL al ejecutar SQL no previsto. Esto podía provocar corrupción y modificación de datos, entre otros problemas. Este problema afecta a Apache Airflow MySQL Provider anterior a la versión 6.2.0. Se recomienda actualizar a la versión 6.2.0, que soluciona el problema.
References
  • () http://www.openwall.com/lists/oss-security/2025/03/19/4 -

19 Mar 2025, 09:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-19 09:15

Updated : 2025-06-03 21:11

NVD link : CVE-2025-27018

Mitre link : CVE-2025-27018

CVE.ORG link : CVE-2025-27018

JSON object : View

Products Affected

apache

  • apache-airflow-providers-mysql
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')