CVE-2025-57735 Overview
CVE-2025-57735 is a critical session management vulnerability in Apache Airflow where JWT tokens are not properly invalidated when a user logs out. This insufficient session expiration flaw (CWE-613) allows attackers who have intercepted a valid JWT token to continue using it even after the legitimate user has terminated their session, potentially leading to unauthorized access to sensitive workflow orchestration systems.
Critical Impact
Attackers with intercepted JWT tokens can maintain persistent unauthorized access to Apache Airflow instances even after legitimate users log out, potentially compromising workflow automation, data pipelines, and connected infrastructure.
Affected Products
- Apache Airflow versions prior to 3.2.0
Discovery Timeline
- 2026-04-09 - CVE CVE-2025-57735 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2025-57735
Vulnerability Analysis
This vulnerability stems from improper session lifecycle management in Apache Airflow's authentication system. When users authenticate, the system issues JWT (JSON Web Token) tokens that serve as bearer credentials for subsequent API requests. Under normal secure operation, these tokens should be invalidated server-side when a user explicitly logs out.
However, in affected versions of Apache Airflow, the logout functionality failed to properly invalidate the JWT token. The token remained valid and usable until its natural expiration time, regardless of whether the user had terminated their session. This creates a window of opportunity for attackers who have obtained the token through various means such as network interception, XSS attacks, or log file exposure.
The impact is particularly severe in shared computing environments, systems exposed to network monitoring, or scenarios where users access Airflow from potentially compromised networks. An attacker with a captured token gains the same level of access as the original user, which in Airflow environments often includes the ability to view, modify, and execute data pipelines.
Root Cause
The root cause of this vulnerability is the lack of server-side token invalidation during the logout process (CWE-613: Insufficient Session Expiration). Apache Airflow's authentication implementation relied solely on client-side token deletion without maintaining a server-side blocklist or revocation mechanism for invalidated tokens. This architectural oversight meant that logging out was effectively only a client-side action with no server-side enforcement.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker must first obtain a valid JWT token through methods such as:
- Man-in-the-middle attacks on network traffic
- Accessing browser storage or local files where tokens may be cached
- Exploiting cross-site scripting vulnerabilities to exfiltrate tokens
- Compromising systems where tokens are logged or stored
Once the token is captured, the attacker can replay it against the Airflow API even after the legitimate user has logged out. The attacker maintains access until the token's built-in expiration time is reached.
The vulnerability mechanism involves the server accepting previously-issued JWT tokens without checking against a revocation list. When a logout request is received, the server should add the token to a blocklist and reject subsequent requests bearing that token. In vulnerable versions, this revocation check was absent, allowing continued token use.
For technical implementation details, refer to the Apache Airflow Pull Request #56633 and Pull Request #61339 which implement the fix.
Detection Methods for CVE-2025-57735
Indicators of Compromise
- Multiple API requests from different source IP addresses using the same JWT token
- Continued authenticated activity after a user's logout event has been recorded
- JWT token usage patterns that span across user logout timestamps
- Authentication logs showing token reuse from geographically impossible locations
Detection Strategies
- Implement correlation rules that flag API requests occurring after logout events for the same token
- Monitor for JWT tokens being used from multiple IP addresses within short time windows
- Analyze authentication logs for tokens that appear active beyond expected session durations
- Deploy network monitoring to detect potential token interception attempts on internal networks
Monitoring Recommendations
- Enable detailed authentication and session logging in Apache Airflow
- Configure SIEM alerts for suspicious token reuse patterns
- Implement real-time monitoring of logout events correlated with subsequent token usage
- Review access logs for authenticated requests that occur after recorded logout events
How to Mitigate CVE-2025-57735
Immediate Actions Required
- Upgrade Apache Airflow to version 3.2.0 or later immediately
- Audit authentication logs for signs of token reuse following user logouts
- Consider forcing re-authentication for all active users after upgrading
- Review network security controls to minimize token interception risks
Patch Information
Apache has addressed this vulnerability in Airflow version 3.2.0 by implementing a server-side token invalidation mechanism at logout. The fix ensures that when a user logs out, their JWT token is added to a revocation list and rejected on subsequent authentication attempts.
Users should upgrade to Airflow 3.2.0 or later to receive this security fix. The patches can be reviewed in the GitHub Pull Request #56633 and GitHub Pull Request #61339.
Additional security guidance is available in the Apache Mailing List announcement and the Openwall OSS-Security discussion.
Workarounds
- Reduce JWT token expiration times to minimize the window of exploitation if immediate upgrade is not possible
- Implement additional network-layer protections such as TLS everywhere to reduce token interception risk
- Deploy network segmentation to limit exposure of Airflow instances to trusted networks only
- Monitor for and investigate any suspicious authentication patterns while awaiting patch deployment
# Configuration example - Reduce token expiration time as temporary mitigation
# In airflow.cfg, reduce the JWT token expiration
# Note: This is a workaround only; upgrading to 3.2.0+ is the recommended fix
[webserver]
# Reduce session lifetime to minimize exposure window
session_lifetime_minutes = 30
# Ensure HTTPS is enforced
web_server_ssl_cert = /path/to/cert.pem
web_server_ssl_key = /path/to/key.pem
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
