CVE-2025-50213

CRITICAL9.8

Apache Airflow Providers Snowflake: Potential SQL injection in CopyFromExternalStageToSnowflakeOperator

Published Jun 24, 2025

Modified 8 months ago

Details

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) vulnerability in Apache Airflow Providers Snowflake.

This issue affects Apache Airflow Providers Snowflake: before 6.4.0.

Sanitation of table and stage parameters were added in CopyFromExternalStageToSnowflakeOperator to prevent SQL injection Users are recommended to upgrade to version 6.4.0, which fixes the issue.

References

FIX

https://github.com/apache/airflow/pull/51734

ADVISORY

https://lists.apache.org/thread/2kqfmyt2pghg5f6797g8hzvq331v8qx3

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2025-50213

CVSS Analysis

CVSS v3.1

9.8

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

HighC:H

Integrity

HighI:H

Availability

HighA:H

9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness Type (CWE)

Other

CWE-75

Ecosystems

Timeline

PublishedJun 24, 2025

ModifiedJun 24, 2025

CVE-2025-50213 | Mondoo Vulnerability Intelligence