CVE-2025-27018

MEDIUM

Apache Airflow MySQL Provider <6.2.0 - SQL Injection

Title source: llm

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider. When user triggered a DAG with dump_sql or load_sql functions they could pass a table parameter from a UI, that could cause SQL injection by running SQL that was not intended. It could lead to data corruption, modification and others. This issue affects Apache Airflow MySQL Provider: before 6.2.0. Users are recommended to upgrade to version 6.2.0, which fixes the issue.

References (4)

Scores

CVSS v3 6.3
EPSS 0.0033
EPSS Percentile 55.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Classification

CWE
CWE-89
Status published

Affected Products (2)

apache/apache-airflow-providers-mysql < 6.2.0
pypi/apache-airflow-providers-mysql < 6.2.0PyPI

Timeline

Published Mar 19, 2025
Tracked Since Feb 18, 2026