CVE-2025-30473HIGH 8.8EPSS p49.5%

CVE-2025-30473CVE-2025-30473

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow Common SQL Provider. When using the partition clause in SQLTableCheckOperator as parameter (which was a recommended pattern), Authenticated UI User could inject arbitrary SQL command when triggering DAG exposing partition_clause to the user. This allowed the DAG Triggering user to escalate privileges to execute those arbitrary commands which they normally would not have. This issue affects Apache Airflow Common SQL Provider: before 1.24.1. Users are recommended to upgrade to version 1.24.1, which fixes the issue.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.73% probability of exploitation · percentile 49.5% · 2026-06-18T12:00:27Z
Published2025-04-07
Last modified2025-04-11

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/apache/airflow/pull/48098
  2. https://lists.apache.org/thread/53klkv790cylqcop0350w7nfq1y6h0t2
  3. http://www.openwall.com/lists/oss-security/2025/04/04/2
  4. http://www.openwall.com/lists/oss-security/2025/04/06/1
  5. http://www.openwall.com/lists/oss-security/2025/04/06/2
  6. http://www.openwall.com/lists/oss-security/2025/04/06/3

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-50213
CVE
CVE-2025-69219
CVE
CVE-2026-41014
CVE
CVE-2026-30898
CVE
CVE-2025-47954
CVE
CVE-2025-59499
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.