Moderate severityNVD Advisory· Published Mar 19, 2025· Updated Mar 25, 2025
Apache Airflow MySQL Provider: SQL injection in MySQL provider core function
CVE-2025-27018
Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider.
When user triggered a DAG with dump_sql or load_sql functions they could pass a table parameter from a UI, that could cause SQL injection by running SQL that was not intended. It could lead to data corruption, modification and others. This issue affects Apache Airflow MySQL Provider: before 6.2.0.
Users are recommended to upgrade to version 6.2.0, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-airflow-providers-mysqlPyPI | < 6.2.0 | 6.2.0 |
Affected products
8- osv-coords7 versionspkg:apk/chainguard/airflowpkg:apk/chainguard/airflow-bitnami-compatpkg:apk/chainguard/airflow-compatpkg:apk/wolfi/airflowpkg:apk/wolfi/airflow-bitnami-compatpkg:apk/wolfi/airflow-compatpkg:pypi/apache-airflow-providers-mysql
< 2.10.5-r3+ 6 more
- (no CPE)range: < 2.10.5-r3
- (no CPE)range: < 2.10.5-r3
- (no CPE)range: < 2.10.5-r3
- (no CPE)range: < 2.10.5-r3
- (no CPE)range: < 2.10.5-r3
- (no CPE)range: < 2.10.5-r3
- (no CPE)range: < 6.2.0
- Range: 0
Patches
Vulnerability mechanics
References
6- github.com/apache/airflow/pull/47254ghsapatchWEB
- github.com/apache/airflow/pull/47255ghsapatchWEB
- github.com/advisories/GHSA-hhm6-jjf4-6pm3ghsaADVISORY
- lists.apache.org/thread/m8ohgkwz4mq9njohf66sjwqjdy28gvzfghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-27018ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/03/19/4ghsaWEB
News mentions
0No linked articles in our index yet.