BIT-airflow-2025-57735

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/airflow/BIT-airflow-2025-57735.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-airflow-2025-57735

Aliases

CVE-2025-57735
GHSA-c92r-g8j5-vhcx

Published

2026-04-13T05:37:57.108Z

Modified

2026-04-13T08:27:21.710568878Z

Summary

Apache Airflow: Airflow Logout Not Invalidating JWT

Details

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+

Users are recommended to upgrade to version 3.2.0, which fixes this issue.

Database specific

{
    "severity": "Critical",
    "cpes": [
        "cpe:2.3:a:apache:airflow:*:*:*:*:*:python:*:*"
    ]
}

References

Affected packages

Bitnami / airflow

Package

Name: airflow
Purl: pkg:bitnami/airflow

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

3.0.0

Fixed

3.2.0

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/airflow/BIT-airflow-2025-57735.json"