DNA View

Critical Severity Vulnerability

This vulnerability has been rated as Critical severity. Immediate action is recommended.

CVE-2025-57735

Critical

Low Medium High Critical

9.1

CVSS Score

Published: Apr 09, 2026

Last Modified: Apr 17, 2026

CWE: CWE-613

Vulnerability Description

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+

Users are recommended to upgrade to version 3.2.0, which fixes this issue.

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Known Affected Software

14 configuration(s) from 1 vendor(s)

airflow

Version:

3.1.5

CPE:

cpe:2.3:a:apache:airflow:3.1.5:-:*:*:*:*:*:*

airflow

Version:

3.0.0

CPE:

cpe:2.3:a:apache:airflow:3.0.0:rc4:*:*:*:*:*:*

airflow

Version:

3.0.3

CPE:

cpe:2.3:a:apache:airflow:3.0.3:-:*:*:*:*:*:*

airflow

Version:

3.1.6

CPE:

cpe:2.3:a:apache:airflow:3.1.6:-:*:*:*:*:*:*

airflow

Version:

3.1.3

CPE:

cpe:2.3:a:apache:airflow:3.1.3:-:*:*:*:*:*:*

airflow

Version:

3.1.1

CPE:

cpe:2.3:a:apache:airflow:3.1.1:-:*:*:*:*:*:*

airflow

Version:

3.0.2

CPE:

cpe:2.3:a:apache:airflow:3.0.2:-:*:*:*:*:*:*

airflow

Version:

3.0.5

CPE:

cpe:2.3:a:apache:airflow:3.0.5:-:*:*:*:*:*:*

airflow

Version:

3.0.6

CPE:

cpe:2.3:a:apache:airflow:3.0.6:-:*:*:*:*:*:*

airflow

Version:

3.1.2

CPE:

cpe:2.3:a:apache:airflow:3.1.2:rc1:*:*:*:*:*:*

airflow

Version:

3.1.0

CPE:

cpe:2.3:a:apache:airflow:3.1.0:-:*:*:*:*:*:*

airflow

Version:

3.1.4

CPE:

cpe:2.3:a:apache:airflow:3.1.4:rc1:*:*:*:*:*:*

airflow

Version:

3.0.4

CPE:

cpe:2.3:a:apache:airflow:3.0.4:-:*:*:*:*:*:*

airflow

Version:

3.0.1

CPE:

cpe:2.3:a:apache:airflow:3.0.1:-:*:*:*:*:*:*

This vulnerability affects 14 software configuration(s). Ensure you patch all affected systems.

References & Resources

Severity Details

9.1

out of 10.0

Critical

Weakness Type (CWE)

CWE-613

Insufficient Session Expiration

Description: According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Typical Severity: Medium
Abstraction Level: Base