CRITICAL🇵🇱 Wersja polska

CVE-2025-67895

CVSS 9.8v3.1pub. 2025-12-17upd. 2025-12-22

Edge3 Worker RPC RCE on Airflow 2. This issue affects Apache Airflow Providers Edge3: before 2.0.0 - and only if you installed and configured it on Airflow 2. The Edge3 provider support in Airflow 2 has been always development-only and not officially released, however if you installed and configured Edge3 provider in Airflow 2, it implicitly enabled non-public (normally) API which was used to test Edge Provider in Airflow 2 during the development. This API allowed Dag author to perform Remote Code Execution in the webserver context, which Dag Author was not supposed to be able to do. If you installed and configured Edge3 provider for Airflow 2, you should uninstall it and migrate to Airflow 3. The new Edge3 provider versions (>=2.0.0) has minimum version of Airflow set to 3 and the RCE-prone Airflow 2 code is removed, so it should no longer be possible to use the Edge3 provider 2.0.0+ on Airflow 2. If you used Edge Provider in Airflow 3, you are not affected.

🤖 AI Analysis
How it works

Support for the Edge3 provider on Airflow 2 was exclusively developmental in nature and was never officially released. However, installing and configuring the Edge3 provider on Airflow 2 implicitly activated an undocumented API created solely for testing purposes during development. This API allowed a DAG author to execute arbitrary code in the context of the Airflow 2 webserver process — that is, with privileges that a DAG author should not normally have. In Airflow 3, the vulnerable code was removed, and Edge3 provider versions >= 2.0.0 require at least Airflow 3.

Impact

An attacker with DAG author privileges can execute arbitrary code (RCE) in the context of the Airflow 2 webserver process, which can lead to complete compromise of system confidentiality, integrity, and availability.

Mitigation & patch

The Edge3 provider should be uninstalled from Airflow 2 and migration to Airflow 3 should be performed. Edge3 provider versions >= 2.0.0 require at least Airflow 3 and do not contain vulnerable code — however, it is not possible to use Edge3 provider 2.0.0+ on Airflow 2. If migration to Airflow 3 is not immediately possible, the Edge3 provider should be immediately uninstalled from Airflow 2.

Who is affected

Apache Airflow Providers Edge3 versions before 2.0.0, installed and configured on Apache Airflow 2. Installations based on Airflow 3 are not vulnerable.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Airflow Providers Edge3

    APP
    Apache
    < 2.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-24813CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Apache Tomcat: Path Equivalence prowadzący do RCE i ujawnienia danych

CVE-2024-38856CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Apache OFBiz — nieautoryzowane wykonanie kodu przez błędną autoryzację

CVE-2024-38475CRITICAL9.1⚠ KEVPL ✓ten sam vendor

Apache HTTP Server mod_rewrite — ujawnienie kodu i RCE poprzez błędne escapowanie

CVE-2024-32113CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Path Traversal w Apache OFBiz umożliwiający zdalne wykonanie kodu

CVE-2024-27348CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE w Apache HugeGraph-Server — zdalne wykonanie poleceń bez uwierzytelnienia