CVE-2025-50213: Apache Airflow Providers Snowflake package allows for Special Element Injection via CopyFromExternalStageToSnowflakeOperator
(updated )
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) vulnerability in Apache Airflow Providers Snowflake.
This issue affects Apache Airflow Providers Snowflake: before 6.4.0.
Sanitation of table and stage parameters were added in CopyFromExternalStageToSnowflakeOperator to prevent SQL injection Users are recommended to upgrade to version 6.4.0, which fixes the issue.
References
- github.com/advisories/GHSA-9r64-3wmc-x8m8
- github.com/apache/airflow
- github.com/apache/airflow/pull/51734
- github.com/apache/airflow/pull/51734/commits/bcf19916738e4a7065a3911814ba1fa32d6fd669
- github.com/pypa/advisory-database/tree/main/vulns/apache-airflow-providers-snowflake/PYSEC-2025-51.yaml
- lists.apache.org/thread/2kqfmyt2pghg5f6797g8hzvq331v8qx3
- nvd.nist.gov/vuln/detail/CVE-2025-50213
Code Behaviors & Features
Detect and mitigate CVE-2025-50213 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →