Overview
A critical authentication flaw tracked as CVE-2025-57735 has been identified in Apache Airflow. When a user logs out of the platform, the JWT (JSON Web Token) they were authenticated with is not invalidated server-side, leaving it reusable if intercepted. The vulnerability carries a CVSS score of 9.1 and was addressed in Apache Airflow version 3.2 via a proper token invalidation mechanism.
Vulnerability Details
| Field | Details |
|---|---|
| CVE ID | CVE-2025-57735 |
| CVSS Score | 9.1 (Critical) |
| Affected Versions | Apache Airflow prior to 3.2 |
| Fixed Version | Apache Airflow 3.2 |
| Component | JWT authentication / session management |
| Attack Vector | Network |
Technical Analysis
Apache Airflow uses JWT tokens for authenticating API and web UI sessions. Under normal operation, a user who logs out should have their active token revoked. However, in versions prior to 3.2, the logout process did not record or invalidate the JWT on the server side.
This means that if an attacker intercepts a valid JWT through any means — network interception, cross-site scripting (XSS), browser history, token leakage in logs, or a compromised environment — they can continue to use it even after the legitimate user has logged out.
Exploit scenario:
- An authenticated Airflow user logs out of the web UI or API.
- The user believes their session is terminated.
- An attacker who previously captured the user's JWT can replay that token to the Airflow API.
- The server accepts the token as valid (no revocation check) and grants full access.
This is particularly dangerous in shared or cloud-based Airflow deployments where multiple users interact with DAGs, connections, variables, and secrets. Airflow's connections and variables often store database credentials, cloud API keys, and other sensitive secrets — making unauthorized session reuse extremely high-impact.
Root Cause
The root cause is a missing token blocklist / revocation mechanism at logout. JWT tokens are stateless by design; without a server-side revocation store (such as a Redis blocklist or database token table), there is no way to invalidate tokens before their expiry.
Airflow 3.2 introduces explicit token invalidation at logout by implementing a mechanism that records invalidated tokens and rejects them on subsequent requests.
Impact
- Confidentiality: An attacker can read sensitive connection credentials, variables, DAG configurations, and execution logs.
- Integrity: Malicious actors can trigger, pause, or modify DAG runs, variables, and connections.
- Availability: DAG pipelines can be disrupted or deleted by an unauthorized actor using a replayed token.
Organizations running Airflow in production environments — especially those with CI/CD integrations, cloud credential storage, or multi-tenant setups — are at significant risk.
Remediation
Upgrade to Apache Airflow 3.2 or later. This version introduces the server-side JWT invalidation mechanism that properly terminates sessions on logout.
If an immediate upgrade is not possible, the following mitigations reduce risk:
- Shorten JWT expiry times in your Airflow configuration to limit the reuse window.
- Rotate credentials stored in Airflow connections and variables if you suspect token interception has occurred.
- Enable audit logging to monitor for anomalous API access patterns following user logouts.
- Restrict network access to the Airflow web server and API to trusted internal networks only.
- Use HTTPS exclusively to reduce the risk of token interception in transit.