Apache Airflow: Disclosure of secrets to UI via kwargs

Vulnerability

Overview

CVE-2025-65995 is an information disclosure vulnerability in Apache Airflow. When a Directed Acyclic Graph (DAG) fails to parse, Airflow's error-reporting mechanism in the UI can include the full kwargs (keyword arguments) passed to the operators. If those kwargs contain sensitive values—such as secrets, passwords, API keys, or connection strings—they may be exposed in the resulting UI tracebacks [1][4].

Exploitation & Attack Surface

The vulnerability does not require an attacker to have access to logs or a command-line interface; the exposure occurs directly within the Airflow web UI. To exploit this, an authenticated user must have permission to view the DAG whose parsing failed. No additional privileges or network access beyond the standard UI are needed. The bug is rooted in how Airflow's error-handling code constructs traceback messages: it previously failed to redact operator arguments before rendering them in the UI [3].

Impact

An authenticated user who can view a DAG that encountered a parse error can potentially read any secret values passed as kwargs to the operators defined in that DAG. This could lead to credential theft, unauthorized access to external systems, or further compromise of the Airflow environment. The disclosure is limited to the UI traceback and only applies to DAGs that actually fail parsing; successfully parsed DAGs are not affected.

Mitigation & Remediation

The issue has been addressed in Airflow versions 3.1.4 and 2.11.1. The fix ensures that operator kwargs are properly redacted (masked) in error tracebacks displayed in the UI [1][3][4]. Users running earlier versions are strongly advised to upgrade to one of the patched releases. No workarounds are mentioned in the references, and the vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.