Main Vulnerability Database SB2025121732

SB2025121732 - Remote code execution in Apache Airflow Providers Edge3

Published: December 17, 2025

Security Bulletin ID SB2025121732

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Missing Authentication for Critical Function (CVE-ID: CVE-2025-67895)

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to the application exposes Edge3 Worker RPC via API endpoints. A remote Dag author can use the exposed endpoints to execute arbitrary code on the system.

The vulnerability affects Edge3 provider installations on Airflow 2.

Remediation

Install update from vendor's website.

References

https://lists.apache.org/thread/630lqp2xp74hqc3p73yglkynmm2tnlm6