CVE-2024-41937 – Apache Airflow versions before 2.10.0 contain a... (How to Fix)

Q: What is the severity of CVE-2024-41937?

CVE-2024-41937 has a CVSS score of 6.1 (MEDIUM). Apache Airflow versions before 2.10.0 contain a cross-site scripting (XSS) vulnerability in provider documentation links. Malicious providers can execute arbitrary JavaScript when users click on their documentation links. This affects Airflow administrators and users who install third-party providers.

📋 TL;DR

Apache Airflow versions before 2.10.0 contain a cross-site scripting (XSS) vulnerability in provider documentation links. Malicious providers can execute arbitrary JavaScript when users click on their documentation links. This affects Airflow administrators and users who install third-party providers.

💻 Affected Systems

Products:

Apache Airflow

Versions: All versions before 2.10.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires installation of a malicious provider package and user interaction (clicking provider link).

📦 What is this software?

Airflow by Apache

View all CVEs affecting Airflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains session cookies, performs actions as authenticated users, or steals sensitive data through malicious JavaScript execution.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized actions within the Airflow interface.

🟢

If Mitigated

Limited impact due to same-origin policy restrictions and requiring user interaction.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires social engineering to install malicious provider and trick users into clicking links.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.10.0 or later

Vendor Advisory: https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d

Restart Required: Yes

Instructions:

1. Backup your Airflow configuration and database. 2. Upgrade Airflow using pip: 'pip install --upgrade apache-airflow==2.10.0'. 3. Restart all Airflow services. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Restrict Provider Installation

all

Only install providers from trusted sources and review provider packages before installation.

User Awareness Training

all

Train users not to click on suspicious provider documentation links.

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to restrict script execution
Monitor and audit installed provider packages for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Airflow version: if version is below 2.10.0, system is vulnerable.

Check Version:

airflow version

Verify Fix Applied:

Confirm Airflow version is 2.10.0 or higher and test provider documentation links.

📡 Detection & Monitoring

Log Indicators:

Unusual provider installation activity
Multiple failed authentication attempts from same session

Network Indicators:

Unexpected outbound connections from Airflow server after clicking provider links

SIEM Query:

source="airflow" AND (event="provider_install" OR event="documentation_click")

📊 Metadata

CVE ID: CVE-2024-41937

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: August 21, 2024

Last Updated: March 20, 2025

🔗 References

https://github.com/apache/airflow/pull/40933 Patch
https://lists.apache.org/thread/lwlmgg6hqfmkpvw5py4w53hxyl37jl6d Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/08/21/3

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-41937, you might also want to check these: