Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link.
Users should upgrade to 2.10.0 or later, which fixes this vulnerability.

Affected Packages

PyPI apache-airflow

Affected versions: 0 (fixed in 2.10.0)

Related CVEs

CVE-2024-41937

Key Information

GHSA ID

GHSA-w7cp-g8v7-r54m

Published

August 21, 2024 6:31 PM

Last Modified

March 21, 2025 4:28 AM

CVSS Score

5.0 /10

Primary Ecosystem

PyPI

Primary Package

apache-airflow

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 16, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.