Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-wjj3-rjkw-8qf3
Summary
Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a "write-only" model for sensitive values.


In Airflow 3.0.3, this model was unintentionally violated: sensitive connection information could be viewed by users with READ permissions through both the API and the UI. This behavior also bypassed the `AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS` configuration option.


This issue does not affect Airflow 2.x, where exposing sensitive information to connection editors was the intended and documented behavior.






Users of Airflow 3.0.3 are advised to upgrade Airflow to >=3.0.4.
Aliases
0
alias CVE-2025-54831
1
alias GHSA-q475-2pgm-7hvp
2
alias PYSEC-2025-85
Fixed_packages
0
url pkg:pypi/apache-airflow@3.0.4
purl pkg:pypi/apache-airflow@3.0.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2b14-1bp2-gua6
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-91n6-evww-zybp
3
vulnerability VCID-9j1n-cypf-p7g5
4
vulnerability VCID-dh4r-77xc-cbas
5
vulnerability VCID-etmw-7eq5-mqa2
6
vulnerability VCID-geg4-1kgh-akde
7
vulnerability VCID-knrd-atwy-gubn
8
vulnerability VCID-t3ap-dzfp-1bd6
9
vulnerability VCID-tbb9-myv7-a7h4
10
vulnerability VCID-w56f-fmkf-dkfv
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.0.4
Affected_packages
0
url pkg:pypi/apache-airflow@3.0.3
purl pkg:pypi/apache-airflow@3.0.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2b14-1bp2-gua6
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-91n6-evww-zybp
3
vulnerability VCID-9j1n-cypf-p7g5
4
vulnerability VCID-dh4r-77xc-cbas
5
vulnerability VCID-etmw-7eq5-mqa2
6
vulnerability VCID-geg4-1kgh-akde
7
vulnerability VCID-knrd-atwy-gubn
8
vulnerability VCID-t3ap-dzfp-1bd6
9
vulnerability VCID-tbb9-myv7-a7h4
10
vulnerability VCID-w56f-fmkf-dkfv
11
vulnerability VCID-wjj3-rjkw-8qf3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.0.3
References
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://lists.apache.org/thread/vblmfqtydrp5zgn2q8tj3slk5podxspf
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://lists.apache.org/thread/vblmfqtydrp5zgn2q8tj3slk5podxspf
2
reference_url http://www.openwall.com/lists/oss-security/2025/09/25/4
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url http://www.openwall.com/lists/oss-security/2025/09/25/4
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-54831
reference_id CVE-2025-54831
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-54831
4
reference_url https://github.com/advisories/GHSA-q475-2pgm-7hvp
reference_id GHSA-q475-2pgm-7hvp
reference_type
scores
url https://github.com/advisories/GHSA-q475-2pgm-7hvp
Weaknesses
0
cwe_id 213
name Exposure of Sensitive Information Due to Incompatible Policies
description The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_score6.5 - 6.5
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-wjj3-rjkw-8qf3