How to fix EUVD-2025-209371?

Within 24 hours: Identify all Airflow deployments running versions 3.0.0-3.1.x and isolate them from untrusted networks. Within 7 days: Implement network segmentation restricting Airflow API access to authenticated internal clients only; enable TLS 1.2+ with certificate pinning for token transmission; rotate all JWT signing keys and force re-authentication for all active sessions. Within 30 days: Upgrade to Apache Airflow 3.2.0 or later once vendor releases patched version (monitor Apache Airflow security advisories); if upgrade is blocked, implement reverse proxy with token validation and expiration enforcement at ingress layer.

EUVD-2025-209371

| CVE-2025-57735 CRITICAL

2026-04-09 [email protected]

GHSA-c92r-g8j5-vhcx

9.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch Released

Apr 10, 2026 - 20:30 nvd

Patch available

EUVD ID Assigned

Apr 09, 2026 - 11:22 euvd

EUVD-2025-209371

Analysis Generated

Apr 09, 2026 - 11:22 vuln.today

CVE Published

Apr 09, 2026 - 11:16 nvd

CRITICAL 9.1

Description

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+ Users are recommended to upgrade to version 3.2.0, which fixes this issue.

Analysis

JWT token reuse vulnerability in Apache Airflow 3.0.0 through 3.1.x allows unauthenticated remote attackers to impersonate authenticated users by intercepting and replaying tokens after legitimate logout. The framework failed to invalidate JWT authentication tokens during user logout operations, enabling session persistence beyond intended termination. Attackers with network access to intercept tokens can achieve unauthorized access to high-integrity operations. EPSS indicates low observed exploitation activity; no public exploit identified at time of analysis.

Technical Context

Root cause (CWE-613): Airflow's JWT authentication implementation lacked server-side token revocation mechanism during logout. Authentication state relied solely on token expiration rather than explicit invalidation lists or session stores. CVSS vector PR:N indicates unauthenticated exploit path via intercepted tokens from legitimate user sessions. Fix implements server-side token blacklisting/revocation at logout.

Affected Products

Apache Airflow versions 3.0.0 through 3.1.x (all point releases prior to 3.2.0). Vendor: Apache Software Foundation. CPE applicability: cpe:2.3:a:apache:airflow:3.0.*:*:*:*:*:*:* and cpe:2.3:a:apache:airflow:3.1.*:*:*:*:*:*:*

Remediation

Vendor-released patch: Apache Airflow 3.2.0 resolves token invalidation deficiency through server-side revocation mechanism (implemented via PR #56633 and #61339). Organizations must upgrade immediately to 3.2.0 or later. No effective workaround exists for affected 3.0-3.1 deployments; token lifespan reduction via configuration only mitigates exposure window but does not prevent replay attacks. Review authentication logs for anomalous token reuse patterns post-logout. Official advisory: https://lists.apache.org/thread/ovn8mpd8zkc604hojt7x3wsw3kc60x98 Additional technical details: https://github.com/apache/airflow/pull/61339

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +46

POC: 0

EUVD-2025-209371 vulnerability details – vuln.today

Back

EUVD-2025-209371

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-209371

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code