Cyber Resilience

CVE-2025-57735

Critical

Published: 09 April 2026

Published
09 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0067 47.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-57735 is a critical-severity Insufficient Session Expiration (CWE-613) vulnerability in Apache Airflow. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Session Cookie (T1550.004); ranked at the 47.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-57735 is an insufficient session expiration vulnerability (CWE-613) affecting Apache Airflow versions prior to 3.2. In these versions, when a user logs out, their JWT authentication token is not invalidated, allowing the token to potentially be reused if intercepted by an attacker. The issue has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity.

The vulnerability can be exploited by any network-accessible attacker capable of intercepting a user's JWT token, such as through network sniffing if communications are not properly secured with HTTPS. No privileges, user interaction, or special conditions are required beyond token capture. Successful exploitation enables the attacker to reuse the valid token for unauthorized access, impersonating the legitimate user and potentially compromising sensitive data or performing actions on their behalf.

Apache Airflow advisories recommend upgrading to version 3.2.0 or later, which implements proper JWT token invalidation upon logout. Relevant mitigation details and patches are documented in GitHub pull requests #56633 and #61339, as well as announcements on the Apache mailing lists and oss-security.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at…

more

logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+ Users are recommended to upgrade to version 3.2.0, which fixes this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
Why these techniques?

Insufficient JWT invalidation on logout directly enables reuse of intercepted session tokens for impersonation/access (T1550.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-68675Same product: Apache Airflow
CVE-2025-66236Same product: Apache Airflow
CVE-2025-68438Same product: Apache Airflow
CVE-2026-42359Same product: Apache Airflow
CVE-2026-41084Same product: Apache Airflow
CVE-2024-56373Same product: Apache Airflow
CVE-2026-30911Same product: Apache Airflow
CVE-2026-49298Same product: Apache Airflow
CVE-2026-30898Same product: Apache Airflow
CVE-2026-31987Same product: Apache Airflow

Affected Assets

apache
airflow
3.0.0 — 3.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-12 requires automatic termination of user sessions upon logout, directly preventing reuse of non-invalidated JWT tokens post-logout.

prevent

SC-23 mandates protection and invalidation of authenticators like JWT tokens upon session termination, addressing the core failure in token invalidation on logout.

prevent

IA-5 requires management and revocation of authenticators, including disabling JWT tokens upon user logout events.

References