Vulnerability in Apache Software Foundation Airflow

CVE-2025-57735

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at…

EPSS: 0.000 (9.1th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Airflow — versions 3.0.0

Weakness classification (CWE)

CWE-613 — Insufficient Session Expiration

References

github.com/apache/airflow/pull/61339 (patch)
github.com/apache/airflow/pull/56633 (patch)
lists.apache.org/thread/ovn8mpd8zkc604hojt7x3wsw3kc60x98 (vendor-advisory)