[<prev] [next>] [day] [month] [year] [list]
Message-ID: <dd452638-757c-8c37-8727-b4f9b427ac2d@apache.org>
Date: Thu, 15 Jan 2026 20:22:59 +0000
From: Ephraim Anierobi <ephraimanierobi@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-68438: Apache Airflow: Secrets in rendered templates
could contain parts of sensitive values when truncated
Severity: low
Affected versions:
- Apache Airflow (apache-airflow) 3.1.0 before 3.1.6
Description:
In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed [core] max_templated_field_length, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include user-registered mask_secret() patterns, so secrets were not reliably masked before truncation and display.
Users are recommended to upgrade to 3.1.6 or later, which fixes this issue
Credit:
William Ashe (finder)
Amogh Desai (remediation developer)
References:
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-68438
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
