Nixpkgs Security Tracker

Permalink CVE-2025-62402

updated 3 weeks, 4 days ago by @LeSuisse Activity log

Created automatic suggestion 2 months, 3 weeks ago
@LeSuisse dismissed 3 weeks, 4 days ago

Apache Airflow: Airflow 3 API: /api/v2/dagReports executes DAG Python in API

API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available.

Affected products

apache-airflow

<3.1.1

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

nixos-unstable 2.7.3
- nixpkgs-unstable 2.7.3
- nixos-unstable-small 2.7.3
nixos-25.05 2.7.3
- nixos-25.05-small 2.7.3
- nixpkgs-25.05-darwin 2.7.3

Package maintainers

@ingenieroariel Ariel Nunez <ariel@nunez.co>
@bhipple Benjamin Hipple <bhipple@protonmail.com>
@gbpdt Graham Bennett <nix@pdtpartners.com>

Only impact > 3.0

Permalink CVE-2025-66388

updated 3 weeks, 4 days ago by @LeSuisse Activity log

Created automatic suggestion 1 month ago
@LeSuisse dismissed 3 weeks, 4 days ago

Apache Airflow: Secrets in rendered templates not redacted properly and exposed in the UI

A vulnerability in Apache Airflow allowed authenticated UI users to view secret values in rendered templates due to secrets not being properly redacted, potentially exposing secrets to users without the appropriate authorization. Users are recommended to upgrade to version 3.1.4, which fixes this issue.

Affected products

apache-airflow

<3.1.4

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

nixos-unstable 2.7.3
- nixpkgs-unstable 2.7.3
- nixos-unstable-small 2.7.3
nixos-25.05 2.7.3
- nixos-25.05-small 2.7.3
- nixpkgs-25.05-darwin 2.7.3

Package maintainers

@ingenieroariel Ariel Nunez <ariel@nunez.co>
@bhipple Benjamin Hipple <bhipple@protonmail.com>
@gbpdt Graham Bennett <nix@pdtpartners.com>

Only impact the 3.1.x branch.

Permalink CVE-2025-68438

updated 3 weeks, 4 days ago by @LeSuisse Activity log

Created automatic suggestion 3 weeks, 5 days ago
@LeSuisse dismissed 3 weeks, 4 days ago

Apache Airflow: Secrets in rendered templates could contain parts of sensitive values when truncated

In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display. Users are recommended to upgrade to 3.1.6 or later, which fixes this issue

Affected products

apache-airflow

<3.1.6

Matching in nixpkgs

pkgs.apache-airflow

Programmatically author, schedule and monitor data pipelines

nixos-unstable 2.7.3
- nixpkgs-unstable 2.7.3
- nixos-unstable-small 2.7.3
nixos-25.05 2.7.3
- nixos-25.05-small 2.7.3
- nixpkgs-25.05-darwin 2.7.3

Package maintainers

@bhipple Benjamin Hipple <bhipple@protonmail.com>
@gbpdt Graham Bennett <nix@pdtpartners.com>
@ingenieroariel Ariel Nunez <ariel@nunez.co>

Only impact the 3.1.x branch

Suggestions search

Affected products

Matching in nixpkgs

pkgs.apache-airflow

Package maintainers

Affected products

Matching in nixpkgs

pkgs.apache-airflow

Package maintainers

Affected products

Matching in nixpkgs

pkgs.apache-airflow

Package maintainers