CVE-2025-65995
Apache Airflow error reporting may expose full kwargs
6.5
MEDIUM
CVSS 3.1
EPSS 0.02%
Description
When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG. The issue has been fixed in Airflow 3.1.5rc1 and 2.11.1, and users are strongly advised to upgrade to prevent potential disclosure of sensitive information.
How to fix CVE-2025-65995
To remediate CVE-2025-65995, upgrade the affected package to a fixed version below.
- —upgrade to 2.11.1 or later
- —upgrade to 2.11.1 or later
Is CVE-2025-65995 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.11.1, >= 3.0.0, < 3.1.4
- from 0, < 2.11.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |