CVE-2025-27018

low-risk

Published 2025-03-19

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider. When user triggered a DAG with dump_sql or load_sql functions they could pass a table parameter from a UI, that could cause SQL injection by running SQL that was not intended. It could lead to data corruption, modification and others. This issue affects Apache Airflow MySQL Provider: before 6.2.0. Users are recommended to upgrade to version 6.2.0, which fixes the issue.

Do I need to act?

0.33% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Apache-Airflow-Providers-Mysql

Affected Vendors

Apache

References (4)

Issue Tracking https://github.com/apache/airflow/pull/47254

Issue Tracking https://github.com/apache/airflow/pull/47255

Mailing List https://lists.apache.org/thread/m8ohgkwz4mq9njohf66sjwqjdy28gvzf

Mailing List http://www.openwall.com/lists/oss-security/2025/03/19/4

/ 100

low-risk

Severity 23/34 · High

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal