VYPR
← All advisories
Moderate severityNVD Advisory· Published Aug 21, 2024· Updated Mar 20, 2025

Apache Airflow: Stored XSS Vulnerability on provider link

CVE-2024-41937

Description

Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Airflow before 2.10.0 contains a stored XSS vulnerability that allows a malicious provider developer to inject scripts via provider documentation links.

Vulnerability

CVE-2024-41937 is a stored cross-site scripting (XSS) vulnerability in Apache Airflow, affecting versions prior to 2.10.0. The flaw lies in how provider documentation links are handled, enabling a malicious provider developer to inject arbitrary JavaScript code into the Airflow web interface. When an authenticated user clicks on this link, the injected script executes within the user's browser session [2][3].

Exploitation

Prerequisites

Exploitation requires two conditions: first, the attacker must be a developer of a provider that is installed on the Airflow web server; second, a victim user must click the specially crafted provider documentation link. The attack does not require the attacker to have direct access to the server beyond provider installation privileges [3].

Impact

If successful, the attacker can perform actions within the context of the victim's session, such as stealing authentication tokens, accessing sensitive workflow data, or performing administrative actions on behalf of the user. The severity is rated as low due to the required preconditions [3].

Mitigation

The vulnerability has been fixed in Apache Airflow version 2.10.0. Users are advised to upgrade their Airflow installations to this version or later to prevent exploitation [2][3].

References
  1. NVD - CVE-2024-41937
  2. security - CVE-2024-41937: Apache Airflow: Stored XSS Vulnerability on provider link

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
apache-airflowPyPI
< 2.10.02.10.0

Affected products

9

Patches

1
f1852c2ab28b

Validating provider documentation urls before displaying in views (#40933)

https://github.com/apache/airflowAmogh DesaiJul 23, 2024via ghsa
commit
2 files changed · +41 2
  • airflow/utils/docs.py+10 2 modified
    @@ -39,17 +39,25 @@ def get_docs_url(page: str | None = None) -> str:
     return result
 
 
+def get_project_url_from_metadata(provider_name: str):
+    """Return the Project-URL from metadata."""
+    return metadata.metadata(provider_name).get_all("Project-URL")
+
+
 def get_doc_url_for_provider(provider_name: str, provider_version: str) -> str:
     """Prepare link to Airflow Provider documentation."""
     try:
-        metadata_items = metadata.metadata(provider_name).get_all("Project-URL")
+        from urllib.parse import urlparse
+
+        metadata_items = get_project_url_from_metadata(provider_name)
         if isinstance(metadata_items, str):
             metadata_items = [metadata_items]
         if metadata_items:
             for item in metadata_items:
                 if item.lower().startswith("documentation"):
                     _, _, url = item.partition(",")
-                    if url:
+                    parsed_url = urlparse(url)
+                    if url and (parsed_url.scheme in ("http", "https") and bool(parsed_url.netloc)):
                         return url.strip()
     except metadata.PackageNotFoundError:
         pass
  • tests/www/views/test_views.py+31 0 modified
    @@ -32,6 +32,7 @@
     write_webserver_configuration_if_needed,
 )
 from airflow.plugins_manager import AirflowPlugin, EntryPointSource
+from airflow.utils.docs import get_doc_url_for_provider
 from airflow.utils.task_group import TaskGroup
 from airflow.www.views import (
     ProviderView,
@@ -180,6 +181,36 @@ def test__clean_description(admin_client, provider_description, expected):
     assert actual == expected
 
 
+@pytest.mark.parametrize(
+    "provider_name, project_url, expected",
+    [
+        (
+            "apache-airflow-providers-airbyte",
+            "Documentation, https://airflow.apache.org/docs/apache-airflow-providers-airbyte/3.8.1/",
+            "https://airflow.apache.org/docs/apache-airflow-providers-airbyte/3.8.1/",
+        ),
+        (
+            "apache-airflow-providers-amazon",
+            "Documentation, https://airflow.apache.org/docs/apache-airflow-providers-amazon/8.25.0/",
+            "https://airflow.apache.org/docs/apache-airflow-providers-amazon/8.25.0/",
+        ),
+        (
+            "apache-airflow-providers-apache-druid",
+            "Documentation, javascript:prompt(document.domain)",
+            # the default one is returned
+            "https://airflow.apache.org/docs/apache-airflow-providers-apache-druid/1.0.0/",
+        ),
+    ],
+)
+@patch("airflow.utils.docs.get_project_url_from_metadata")
+def test_get_doc_url_for_provider(
+    mock_get_project_url_from_metadata, admin_client, provider_name, project_url, expected
+):
+    mock_get_project_url_from_metadata.return_value = [project_url]
+    actual = get_doc_url_for_provider(provider_name, "1.0.0")
+    assert actual == expected
+
+
 def test_endpoint_should_not_be_unauthenticated(app):
     resp = app.test_client().get("/provider", follow_redirects=True)
     check_content_not_in_response("Providers", resp)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.