PyPI: apache-airflow-providers-edge3
CVE-2025-67895
Safety vulnerability ID: SFTY-20251217-91455
Safety legacy ID: pyup.io-82919
Affected versions of the apache-airflow-providers-edge3 package are vulnerable to Remote Code Execution due to an internal, non-public Edge3 testing API being implicitly enabled when the provider is installed and configured on Airflow 2. The Edge3 provider’s “Edge3 Worker RPC” path exposes a normally non-public API surface in Airflow 2 that permits a DAG author to trigger code execution in the webserver context, violating the intended separation between DAG author capabilities and webserver execution.
Overview
Apache Airflow Providers Edge3 exposes internal API allowing RCE in web server context
Advisory
Affected versions of the apache-airflow-providers-edge3 package are vulnerable to Remote Code Execution due to an internal, non-public Edge3 testing API being implicitly enabled when the provider is installed and configured on Airflow 2. The Edge3 provider’s “Edge3 Worker RPC” path exposes a normally non-public API surface in Airflow 2 that permits a DAG author to trigger code execution in the webserver context, violating the intended separation between DAG author capabilities and webserver execution.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20251217-91455/CVE-2025-67895
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-67895
- https://github.com/advisories/GHSA-66h8-3g48-6hx8
- https://nvd.nist.gov/vuln/detail/CVE-2025-67895
- https://github.com/apache/airflow/pull/59143
- https://lists.apache.org/thread/hhnmmzkj5qx5gbk6pdkh8tcsx5oj1nqs
- http://www.openwall.com/lists/oss-security/2025/12/16/3
- https://github.com/advisories/GHSA-66h8-3g48-6hx8
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more