Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2025-57735 -- CVSS 9.1 Vulnerability Briefing

CVE-2025-57735 | CVSS 9.1 (Critical) | Exploit: No known exploit

What Is It

CVE-2025-57735 is a session management vulnerability in Apache Airflow in which JWT tokens are not invalidated server-side upon user logout, leaving intercepted tokens valid for reuse until natural expiration.

Technical Detail

The flaw exists because Apache Airflow did not implement server-side token revocation on logout, meaning a JWT issued during an authenticated session remains cryptographically valid after the user signs out. An attacker who intercepts or obtains a post-logout token through network interception, log exposure, or other means can replay it to authenticate as the original user without credentials. The impact is unauthorized access to Airflow's workflow orchestration interface, which typically carries significant privilege given its role in managing pipelines, connections, and secrets. Apache addressed this by implementing a token invalidation mechanism in Airflow 3.2.

Exploitation Status

No known exploit code has been published and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog as of the date of this briefing. The exploit maturity is assessed as no known exploit, though the vulnerability class is straightforward and does not require specialized tooling to abuse if a token is obtained.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this CVE in available intelligence sources.

What To Do

Upgrade to Apache Airflow 3.2 or later, which introduces server-side JWT invalidation on logout. Organizations unable to patch immediately should enforce short JWT expiration windows as a compensating control, reducing the window of token reuse. Network-level controls such as TLS enforcement and strict access controls on Airflow endpoints reduce the risk of token interception. Review access logs for anomalous authentication events, particularly repeated logins from unexpected source IPs or user agents following known logout events. Given the critical CVSS score of 9.1, patching should be treated as high priority in any environment where Airflow is internet-accessible or handles sensitive pipeline credentials.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →