CVE-2025-65995 Overview
CVE-2025-65995 is an Information Disclosure vulnerability in Apache Airflow that exposes sensitive information through error messages during DAG parsing failures. When a Directed Acyclic Graph (DAG) fails during parsing, Airflow's error-reporting mechanism in the UI could include the full keyword arguments (kwargs) passed to operators. If those kwargs contained sensitive values such as API keys, database credentials, or other secrets, they could be exposed in the UI tracebacks to authenticated users who had permission to view that DAG.
Critical Impact
Authenticated users with DAG view permissions may gain unauthorized access to sensitive credentials, API keys, and secrets embedded in operator arguments through error message exposure in the Airflow UI.
Affected Products
- Apache Airflow versions prior to 3.1.4
- Apache Airflow versions prior to 2.11.1
- Apache Airflow deployments using operators with sensitive kwargs
Discovery Timeline
- 2026-02-21 - CVE-2025-65995 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2025-65995
Vulnerability Analysis
This vulnerability is classified under CWE-209 (Generation of Error Message Containing Sensitive Information). The issue stems from Apache Airflow's error handling mechanism that displays verbose debugging information when DAG parsing fails. The error-reporting functionality was designed to help users debug DAG configuration issues, but it inadvertently included the complete kwargs dictionary passed to operators without sanitizing sensitive values.
The network-accessible attack vector allows authenticated users with legitimate DAG viewing permissions to exploit this vulnerability. An attacker with low-privilege access to the Airflow UI could intentionally cause DAG parsing failures or simply wait for natural parsing errors to occur, then examine the resulting error tracebacks for exposed secrets.
The impact is limited to confidentiality, as this vulnerability allows unauthorized disclosure of sensitive information but does not permit modification of data or denial of service. However, exposed credentials could enable secondary attacks against connected systems.
Root Cause
The root cause lies in Airflow's exception handling and traceback rendering logic during DAG parsing. When an operator instantiation fails, the framework captures and displays the full exception context, including all arguments passed to the operator constructor. This design prioritized debugging convenience over security, failing to redact or mask potentially sensitive parameter values before displaying them to users.
The error rendering code did not distinguish between safe-to-display configuration parameters and sensitive values that should be masked, leading to indiscriminate exposure of all kwargs in the UI traceback display.
Attack Vector
The attack exploits the network-accessible Airflow web interface and requires authenticated access with DAG view permissions. An attacker can trigger this vulnerability through the following mechanism:
- The attacker authenticates to the Airflow UI with valid credentials that grant DAG viewing permissions
- The attacker navigates to view a DAG that experiences a parsing failure (either naturally occurring or intentionally triggered through configuration manipulation if the attacker has additional privileges)
- The Airflow UI displays the full exception traceback, including sensitive kwargs such as database connection strings, API tokens, or cloud provider credentials
- The attacker extracts the exposed secrets from the error message display
The vulnerability is particularly dangerous in multi-tenant Airflow environments where users may have legitimate access to view certain DAGs but should not have access to the underlying credentials those DAGs use.
Detection Methods for CVE-2025-65995
Indicators of Compromise
- Unusual patterns of users accessing DAG error pages or traceback views in Airflow audit logs
- Multiple authentication attempts followed by immediate navigation to DAGs known to have parsing issues
- User accounts accessing DAG views outside their normal operational scope
- Suspicious credential usage in external systems that were configured as operator kwargs
Detection Strategies
- Enable and monitor Airflow access logs for patterns indicating systematic browsing of DAG error pages
- Implement audit logging on the Airflow webserver to track which users view specific DAG tracebacks
- Deploy SIEM rules to detect multiple rapid accesses to error pages from the same user session
- Monitor for credential usage anomalies in systems connected to Airflow that may indicate compromised secrets
Monitoring Recommendations
- Review Airflow webserver access logs for requests to error and traceback endpoints
- Implement alerting for bulk access to DAG detail pages showing parsing errors
- Monitor authentication logs for unusual access patterns to the Airflow UI
- Conduct periodic audits of which users have accessed DAGs containing sensitive operator configurations
How to Mitigate CVE-2025-65995
Immediate Actions Required
- Upgrade Apache Airflow to version 3.1.4 or 2.11.1 immediately to receive the security fix
- Audit existing DAGs to identify operators that may have sensitive values in kwargs
- Rotate any credentials that may have been exposed through DAG parsing errors prior to patching
- Review Airflow access logs to identify potential unauthorized access to sensitive information
Patch Information
The vulnerability has been fixed in Apache Airflow versions 3.1.4 and 2.11.1. The patches address the issue by sanitizing error messages to prevent sensitive kwargs from being displayed in UI tracebacks. Users are strongly advised to upgrade to these versions immediately.
For detailed patch information, refer to:
Workarounds
- Restrict DAG view permissions to only essential personnel until the patch can be applied
- Migrate sensitive values from inline kwargs to Airflow Connections, Variables, or external secret management systems
- Implement network segmentation to limit access to the Airflow UI from trusted networks only
- Use Airflow's built-in secret backend feature to store and retrieve sensitive values rather than embedding them in DAG code
# Configuration example: Migrate secrets to Airflow Connections
# Instead of passing credentials directly in operator kwargs:
# MyOperator(api_key="secret_value")
#
# Store the credential in an Airflow Connection and reference it:
airflow connections add 'my_api_connection' \
--conn-type 'http' \
--conn-password 'your_api_key_here'
# Then reference the connection in your DAG:
# MyOperator(conn_id='my_api_connection')
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
