Headline
GHSA-c3c6-f2ww-xfr2: Apache Airflow: pickle deserialization vulnerability in XComs
Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of “enable_xcom_pickling=False” configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue.
Apache Airflow: pickle deserialization vulnerability in XComs
High severity GitHub Reviewed Published Jan 24, 2024 to the GitHub Advisory Database • Updated Jan 24, 2024