CVE-2025-50213 — Apache Airflow Providers Snowflake package allows for Special Element Injection

Description

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) vulnerability in Apache Airflow Providers Snowflake. This issue affects Apache Airflow Providers Snowflake: before 6.4.0. Sanitation of table and stage parameters were added in CopyFromExternalStageToSnowflakeOperator to prevent SQL injection Users are recommended to upgrade to version 6.4.0, which fixes the issue.

How to fix CVE-2025-50213

To remediate CVE-2025-50213, upgrade the affected package to a fixed version below.

—upgrade to 6.4.0 or later
—upgrade to 6.4.0 or later

Is CVE-2025-50213 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 6.4.0
from 0, < 6.4.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (7)

ADVISORYgithub.com/advisories/GHSA-9r64-3wmc-x8m8
ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-50213
WEBgithub.com/apache/airflow
WEBgithub.com/apache/airflow/pull/51734
WEB