CVE-2025-27018 – apache-airflow-providers-mysql

Package

Manager: pip
Name: apache-airflow-providers-mysql
Vulnerable Version: >=0 <6.2.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00059 pctl0.18713

Details

Apache Airflow MySQL Provider is Vulnerable to SQL Injection Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider. When user triggered a DAG with dump_sql or load_sql functions they could pass a table parameter from a UI, that could cause SQL injection by running SQL that was not intended. It could lead to data corruption, modification and others. This issue affects Apache Airflow MySQL Provider: before 6.2.0. Users are recommended to upgrade to version 6.2.0, which fixes the issue.

Metadata

Created: 2025-03-19T09:30:27Z
Modified: 2025-03-25T20:16:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-hhm6-jjf4-6pm3/GHSA-hhm6-jjf4-6pm3.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-hhm6-jjf4-6pm3
Finding: F297
Auto approve: 1