First published: Wed Mar 19 2025(Updated: )
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider. When user triggered a DAG with dump_sql or load_sql functions they could pass a table parameter from a UI, that could cause SQL injection by running SQL that was not intended. It could lead to data corruption, modification and others. This issue affects Apache Airflow MySQL Provider: before 6.2.0. Users are recommended to upgrade to version 6.2.0, which fixes the issue.
Credit: security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Airflow MySQL Provider | <6.2.0 | |
pip/apache-airflow-providers-mysql | <6.2.0 | 6.2.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2025-27018 is classified as a medium severity vulnerability due to the risk of SQL injection.
To fix CVE-2025-27018, update the Apache Airflow MySQL Provider to version 6.2.0 or later.
CVE-2025-27018 affects Apache Airflow MySQL Provider versions prior to 6.2.0.
CVE-2025-27018 is an SQL injection vulnerability caused by improper neutralization of special elements in SQL commands.
An attacker exploiting CVE-2025-27018 can manipulate SQL queries by passing malicious table parameters through the user interface.