CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-50213: Apache Airflow Providers Snowflake: Potential SQL injection in CopyFromExternalStageToSnowflakeOperator

Description

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) vulnerability in Apache Airflow Providers Snowflake.

This issue affects Apache Airflow Providers Snowflake: before 6.4.0.

Sanitation of table and stage parameters were added in CopyFromExternalStageToSnowflakeOperator to prevent SQL injection
Users are recommended to upgrade to version 6.4.0, which fixes the issue.

Classification

CVE ID: CVE-2025-50213

Problem Types

CWE-75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

Affected Products

Vendor: Apache Software Foundation

Product: Apache Airflow Providers Snowflake

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.5% (scored less or equal to compared to others)

EPSS Date: 2025-07-01 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-50213
https://github.com/apache/airflow/pull/51734
https://lists.apache.org/thread/2kqfmyt2pghg5f6797g8hzvq331v8qx3

Timeline

2025-06-24 08:40:12 UTC
CVE

Apache Airflow Providers Snowflake: Potential SQL injection in CopyFromExternalStageToSnowflakeOperator