CVE-2025-57735
Apache · Airflow
Apache Airflow fails to invalidate JWT tokens upon user logout, potentially allowing intercepted tokens to be reused by unauthorized actors.
Executive summary
A critical authentication vulnerability in Apache Airflow allows for potential session hijacking via uninvalidated JWT tokens, necessitating an immediate upgrade to version 3.2.0.
Vulnerability
This vulnerability involves the improper management of authentication state, specifically the failure to invalidate JSON Web Tokens (JWT) upon logout. An attacker who has intercepted a valid user's token can continue to access the system even after the legitimate user has signed out.
Business impact
The failure to invalidate authentication tokens poses a severe risk of unauthorized access to sensitive data and administrative functions within the Airflow environment. Given the CVSS score of 9.1, this flaw could lead to complete system compromise if an attacker successfully captures a session token. Such unauthorized access could result in data exfiltration or the execution of malicious workflows.
Remediation
Immediate Action: Upgrade all Apache Airflow instances to version 3.2.0 or higher immediately to implement the required token invalidation mechanism.
Proactive Monitoring: Review authentication and access logs for anomalous session activity or repeated use of tokens from unexpected IP addresses.
Compensating Controls: Implement short-lived session tokens and enforce strict network-level controls to reduce the window of opportunity for token interception.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
This vulnerability represents a significant risk to session integrity. Organizations using Apache Airflow must prioritize updating to version 3.2.0 to ensure that logout events properly terminate user sessions and invalidate existing tokens.