CVE-2025-68675: Airflow Leaks: When Proxies Spill Secrets in the Logs

Airflow Leaks: When Proxies Spill Secrets in the Logs

Vulnerability ID: CVE-2025-68675
CVSS Score: 7.5
Published: 2026-01-16

Apache Airflow versions prior to 3.1.6 failed to mask sensitive credentials embedded within proxy URLs in connection configurations, leading to clear-text password exposure in execution logs.

TL;DR

Apache Airflow's built-in secrets masker missed the proxy and proxies keywords. If you configured a connection to route through an authenticated proxy (e.g., http://user:pass@proxy:8080), Airflow treated that URL as harmless metadata. Consequently, task logs—often visible to a wide range of users—would print the full URL, including the password, in plain text. Fix involves upgrading to 3.1.6+.

---

Technical Details

• CWE ID: CWE-532
• CVSS v3.1: 7.5 (High)
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None (to trigger), Low (to view logs)
• EPSS Score: 0.00063 (Low)
• Exploit Status: No Known Exploitation

Affected Systems

• Apache Airflow Scheduler
• Apache Airflow Webserver
• Apache Airflow Worker
• Apache Airflow: < 3.1.6 (Fixed in: 3.1.6)

Mitigation Strategies

• Upgrade Apache Airflow to version 3.1.6 or later.
• Manually add 'proxy' and 'proxies' to the sensitive variable configuration in older versions.
• Rotate any credentials used in proxy configurations that may have been logged.

Remediation Steps:

1. Check current Airflow version: airflow version.
2. If < 3.1.6, schedule maintenance window.
3. Pull latest Docker image or pip install apache-airflow>=3.1.6.
4. Restart Scheduler and Webserver services.
5. Verify fix by creating a dummy connection with a proxy and ensuring logs show ***.

References

• Apache Airflow Mailing List Advisory
• GHSA-7c2f-r6gc-h92h
• Openwall oss-security Archive

---

Read the full report for CVE-2025-68675 on our website for more details including interactive diagrams and full exploit analysis.