Vulnerability Description
A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low. You should upgrade to version 6.0.0 of the provider to avoid even that risk.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Airflow Providers Http | >= 5.1.0, < 6.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/apache/airflow/pull/61662Issue TrackingPatch
- https://lists.apache.org/thread/zjkfb2njklro68tqzym092r4w65m5dq0Mailing List
- http://www.openwall.com/lists/oss-security/2026/03/09/1Mailing ListThird Party Advisory
FAQ
What is CVE-2025-69219?
CVE-2025-69219 is a vulnerability with a CVSS score of 8.8 (HIGH). A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct D...
How severe is CVE-2025-69219?
CVE-2025-69219 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-69219?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Airflow Providers Http.