CVE-2025-57735

| EUVD-2025-209371 CRITICAL
2026-04-09 [email protected] GHSA-c92r-g8j5-vhcx
9.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch Released
Apr 10, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 11:22 euvd
EUVD-2025-209371
Analysis Generated
Apr 09, 2026 - 11:22 vuln.today
CVE Published
Apr 09, 2026 - 11:16 nvd
CRITICAL 9.1

Tags

Information Disclosure

Description

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+ Users are recommended to upgrade to version 3.2.0, which fixes this issue.

Analysis

JWT token reuse vulnerability in Apache Airflow 3.0.0 through 3.1.x allows unauthenticated remote attackers to impersonate authenticated users by intercepting and replaying tokens after legitimate logout. The framework failed to invalidate JWT authentication tokens during user logout operations, enabling session persistence beyond intended termination. Attackers with network access to intercept tokens can achieve unauthorized access to high-integrity operations. EPSS indicates low observed exploitation activity; no public exploit identified at time of analysis.

Technical Context

Root cause (CWE-613): Airflow's JWT authentication implementation lacked server-side token revocation mechanism during logout. Authentication state relied solely on token expiration rather than explicit invalidation lists or session stores. CVSS vector PR:N indicates unauthenticated exploit path via intercepted tokens from legitimate user sessions. Fix implements server-side token blacklisting/revocation at logout.

Affected Products

Apache Airflow versions 3.0.0 through 3.1.x (all point releases prior to 3.2.0). Vendor: Apache Software Foundation. CPE applicability: cpe:2.3:a:apache:airflow:3.0.*:*:*:*:*:*:* and cpe:2.3:a:apache:airflow:3.1.*:*:*:*:*:*:*

Remediation

Vendor-released patch: Apache Airflow 3.2.0 resolves token invalidation deficiency through server-side revocation mechanism (implemented via PR #56633 and #61339). Organizations must upgrade immediately to 3.2.0 or later. No effective workaround exists for affected 3.0-3.1 deployments; token lifespan reduction via configuration only mitigates exposure window but does not prevent replay attacks. Review authentication logs for anomalous token reuse patterns post-logout. Official advisory: https://lists.apache.org/thread/ovn8mpd8zkc604hojt7x3wsw3kc60x98 Additional technical details: https://github.com/apache/airflow/pull/61339

Priority Score

46
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +46
POC: 0

Share

CVE-2025-57735 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy