CVE-2025-57735

EPSS 0.04%
Veröffentlicht 09.04.2026 11:12:41
Zuletzt bearbeitet 17.04.2026 13:03:16
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache Airflow: Airflow Logout Not Invalidating JWT

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+



Users are recommended to upgrade to version 3.2.0, which fixes this issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Airflow Version >= 3.0.0 < 3.2.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.124

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-613 Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

https://github.com/apache/airflow/pull/61339

Issue Tracking

https://github.com/apache/airflow/pull/56633

Issue Tracking

https://lists.apache.org/thread/ovn8mpd8zkc604hojt7x3wsw3kc60x98

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2026/04/09/16

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2025-57735

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-57735

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-57735

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-57735