CVE-2025-57735

Received
Published: 09 Apr 2026, 11:12
Last modified:09 Apr 2026, 13:53

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.1 CRITICAL
v3.1 (cve.org)
EPSS Score
0.01% LOW
0% probability
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

09 Apr 2026, 11:12
Published
Vulnerability first disclosed
09 Apr 2026, 13:53
Last Modified
Vulnerability information updated

Description

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+ Users are recommended to upgrade to version 3.2.0, which fixes this issue.

CVSS Metrics

  • v3.1CRITICALScore: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Trends

Current EPSS score: 0.01% Percentile: 3%

Techniques & Countermeasures

  • CWE-613Insufficient Session Expiration

    According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Affected Systems

  • apache software foundationapache airflow

    ≥ 3.0.0, < 3.2.0

References (3)