CVE-2025-27018: Apache Airflow MySQL Provider is Vulnerable to SQL Injection

March 19, 2025 (updated March 20, 2025)

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Apache Airflow MySQL Provider.

When user triggered a DAG with dump_sql or load_sql functions they could pass a table parameter from a UI, that could cause SQL injection by running SQL that was not intended. It could lead to data corruption, modification and others. This issue affects Apache Airflow MySQL Provider: before 6.2.0.

Users are recommended to upgrade to version 6.2.0, which fixes the issue.

References

github.com/advisories/GHSA-hhm6-jjf4-6pm3
github.com/apache/airflow
github.com/apache/airflow/pull/47254
github.com/apache/airflow/pull/47255
lists.apache.org/thread/m8ohgkwz4mq9njohf66sjwqjdy28gvzf
nvd.nist.gov/vuln/detail/CVE-2025-27018

Detect and mitigate CVE-2025-27018 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →