Nepalese Engineer Addresses Critical Vulnerability in Apache Airflow Used by Fortune 500 Companies
The Software Engineer Who Contributed a Fix for an Apache Airflow Vulnerability Used by Some Fortune 500 Companies
Usa Today
Image: Usa Today
Anish Giri, a software engineer from Nepal, contributed a significant fix for a critical vulnerability in Apache Airflow, impacting many Fortune 500 companies. The flaw allowed session tokens to remain valid post-logout, posing security risks. His solution, implemented in version 3.2.0, introduces a revocation list to enhance security.
- 01Anish Giri's fix for CVE-2025-57735 involved 3,600 code changes to improve session management in Apache Airflow.
- 02The vulnerability allowed JSON Web Tokens to remain valid after user logout, posing significant security risks.
- 03Apache Airflow has become a key tool for data engineering, adopted by numerous Fortune 500 companies.
- 04The fix was documented in GitHub Pull Request #61339 and indexed by NIST, highlighting its importance in the security community.
- 05Tenable rated the vulnerability as critical, with a CVSS score of 9.1, emphasizing the potential impact on organizations.
Advertisement
In-Article Ad
Anish Giri, a software engineer from Nepal, made a notable contribution by fixing a critical vulnerability in Apache Airflow, a tool widely used by Fortune 500 companies. The vulnerability, registered as CVE-2025-57735, allowed JSON Web Tokens (JWTs) to remain valid even after a user logged out, which could lead to unauthorized access if intercepted. Giri's fix involved approximately 3,600 code changes, introducing a dedicated database table to effectively manage token identifiers upon logout. This solution, included in Apache Airflow version 3.2.0, enhances security by blocking access when a logged-out token is detected. Apache Airflow, which originated at Airbnb in 2014 and became an Apache Software Foundation project, is now essential for managing complex data workflows across various sectors. The fix has been formally indexed by the National Institute of Standards and Technology (NIST) and rated as critical by Tenable, with a CVSS score of 9.1, underscoring its importance in safeguarding data infrastructure.
Advertisement
In-Article Ad
The fix enhances security for organizations using Apache Airflow, protecting sensitive data and operations.
Advertisement
In-Article Ad
Reader Poll
How important do you think software security fixes are for organizations?
Connecting to poll...
Read the original article
Visit the source for the complete story.