Airflow Providers Http
CVE-2025-69219
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1 pypi packages depend on apache-airflow-providers-http (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 6.0.0.
DescriptionCVE.org
A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low.
You should upgrade to version 6.0.0 of the provider to avoid even that risk.
AnalysisAI
Airflow Providers Http is affected by improper control of dynamically-managed code resources (CVSS 8.8).
Technical ContextAI
This vulnerability (CWE-913: Improper Control of Dynamically-Managed Code Resources) affects Airflow Providers Http. A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low.
You should upgrade to version 6.0.0 of the provider to avoid even that risk.
RemediationAI
A vendor patch is available — apply it immediately. Update to version 6.0.0 or later. Restrict network access to the affected service where possible.
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-9r5j-7r2x-rv4g