CVE-2025-27018 - Apache Airflow MySQL Provider SQL Injection Vulnerability Fixed in v6.2.

A recently discovered vulnerability in the Apache Airflow MySQL Provider (versions before 6.2.) allows an attacker to perform SQL injection attacks on the system. CVE-2025-27018 has been assigned to this vulnerability, and this post will provide an in-depth analysis of the issue, including code snippets, links to original references, and exploit details. Be sure to update Apache Airflow MySQL Provider to version 6.2. to resolve this issue.

Vulnerability Details (Improper Neutralization of Special Elements used in an SQL Command)

The CVE-2025-27018 vulnerability is caused by an improper neutralization of special elements used in an SQL command, commonly known as an 'SQL Injection' vulnerability. This vulnerability can lead to data corruption, modification, and other malicious activities if exploited by an attacker.

In the Apache Airflow MySQL Provider, when a user triggers a DAG (Directed Acyclic Graph) with dump_sql or load_sql functions, they could pass a table parameter from a UI. This table parameter could be manipulated by an attacker to cause SQL injection by running unauthorized SQL commands that were not intended to be executed.

The following code snippet demonstrates this vulnerability in action

from airflow.operators.mysql_operator import MySqlOperator
from airflow.models import DAG

dag = DAG("sql_injection_vulnerable", schedule_interval="@daily")

t1 = MySqlOperator(
    task_id="vulnerable_task",
    sql="SELECT * FROM  {user_controlled_table_name}",
    dag=dag)

In this code snippet, user_controlled_table_name could contain malicious SQL, leading to the execution of unintended SQL commands.

Affected Versions

This issue affects Apache Airflow MySQL Provider versions before 6.2..

Solution and Mitigation

Users are strongly recommended to upgrade to Apache Airflow MySQL Provider version 6.2. as soon as possible, which fixes the SQL injection vulnerability. To upgrade, follow the official update instructions provided by the Apache Airflow team.

In addition to updating the software, users should ensure that they perform proper input validation and sanitization throughout the entirety of their Apache Airflow configuration to mitigate any potential for injection-based attacks further.

Original References

For more information regarding the Apache Airflow MySQL Provider SQL Injection Vulnerability (CVE-2025-27018), the following resources are available:

- Official CVE Record
- NVD Vulnerability Details
- Apache Airflow Security Bulletin
- Apache Airflow Official Documentation

Conclusion

The recently discovered CVE-2025-27018 vulnerability in the Apache Airflow MySQL Provider highlights the importance of staying up-to-date with the latest software patches and performing ongoing security maintenance for your software stack. Companies using Airflow should promptly update to version 6.2. to protect themselves from potential SQL injection attacks.

By understanding the vulnerability and taking the necessary steps to mitigate the risks, users can continue to leverage the powerful features provided by Apache Airflow without compromising the security of their data.

Timeline

Published on: 03/19/2025 09:15:14 UTC
Last modified on: 03/25/2025 18:15:34 UTC