logo

Database

NoSQL injection In apache-airflow-providers-snowflake

Description

Apache Airflow Providers Snowflake package allows for Special Element Injection via CopyFromExternalStageToSnowflakeOperator Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) vulnerability in Apache Airflow Providers Snowflake.

This issue affects Apache Airflow Providers Snowflake: before 6.4.0.

Sanitation of table and stage parameters were added in CopyFromExternalStageToSnowflakeOperator to prevent SQL injection Users are recommended to upgrade to version 6.4.0, which fixes the issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-502132. NVD-2025-502133. OSV-2025-502134. GCVE-2025-50213

References

1. https://github.com/apache/airflow/pull/517342. https://github.com/apache/airflow/pull/51734/commits/bcf19916738e4a7065a3911814ba1fa32d6fd6693. https://github.com/apache/airflow4. https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow-providers-snowflake/PYSEC-2025-51.yaml5. https://lists.apache.org/thread/2kqfmyt2pghg5f6797g8hzvq331v8qx3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.