CVE-2025-57735
Published: 09 April 2026
Summary
CVE-2025-57735 is a critical-severity Insufficient Session Expiration (CWE-613) vulnerability in Apache Airflow. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Web Session Cookie (T1550.004); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-12 requires automatic termination of user sessions upon logout, directly preventing reuse of non-invalidated JWT tokens post-logout.
SC-23 mandates protection and invalidation of authenticators like JWT tokens upon session termination, addressing the core failure in token invalidation on logout.
IA-5 requires management and revocation of authenticators, including disabling JWT tokens upon user logout events.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insufficient JWT invalidation on logout directly enables reuse of intercepted session tokens for impersonation/access (T1550.004).
NVD Description
When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at…
more
logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+ Users are recommended to upgrade to version 3.2.0, which fixes this issue.
Deeper analysisAI
CVE-2025-57735 is an insufficient session expiration vulnerability (CWE-613) affecting Apache Airflow versions prior to 3.2. In these versions, when a user logs out, their JWT authentication token is not invalidated, allowing the token to potentially be reused if intercepted by an attacker. The issue has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity.
The vulnerability can be exploited by any network-accessible attacker capable of intercepting a user's JWT token, such as through network sniffing if communications are not properly secured with HTTPS. No privileges, user interaction, or special conditions are required beyond token capture. Successful exploitation enables the attacker to reuse the valid token for unauthorized access, impersonating the legitimate user and potentially compromising sensitive data or performing actions on their behalf.
Apache Airflow advisories recommend upgrading to version 3.2.0 or later, which implements proper JWT token invalidation upon logout. Relevant mitigation details and patches are documented in GitHub pull requests #56633 and #61339, as well as announcements on the Apache mailing lists and oss-security.
Details
- CWE(s)