Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-1fj3-3bdw-nbch

Summary

Apache Airflow exposes sensitive information in its log files
Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.11.1 or a later version, which addresses this issue. Users who previously used the CLI to set connections should manually delete entries with those connection sensitive values from the log table. This is similar but not the same issue as CVE-2024-50378

Aliases

alias	CVE-2025-27555

alias	GHSA-8r55-rv5w-6pfm

Fixed_packages

url pkg:pypi/apache-airflow@2.11.1

purl pkg:pypi/apache-airflow@2.11.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2xr2-w3hk-auck

vulnerability	VCID-91n6-evww-zybp

vulnerability	VCID-dh4r-77xc-cbas

vulnerability	VCID-t3ap-dzfp-1bd6

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.11.1

Affected_packages

References

reference_url	https://github.com/apache/airflow
reference_id
reference_type
scores
url	https://github.com/apache/airflow

reference_url	https://github.com/apache/airflow/pull/61882
reference_id
reference_type
scores
url	https://github.com/apache/airflow/pull/61882

reference_url	https://lists.apache.org/thread/nxovkp319jo8vg498gql1yswtb2frbkw
reference_id
reference_type
scores
url	https://lists.apache.org/thread/nxovkp319jo8vg498gql1yswtb2frbkw

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2025-27555
reference_id	CVE-2025-27555
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2025-27555

reference_url	https://github.com/advisories/GHSA-8r55-rv5w-6pfm
reference_id	GHSA-8r55-rv5w-6pfm
reference_type
scores
url	https://github.com/advisories/GHSA-8r55-rv5w-6pfm

Weaknesses

cwe_id	201
name	Insertion of Sensitive Information Into Sent Data
description	The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

cwe_id	532
name	Insertion of Sensitive Information into Log File
description	Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1fj3-3bdw-nbch

Vulnerability Instance