oleg-condukt opened a new issue, #53829: URL: https://github.com/apache/airflow/issues/53829
### Apache Airflow version 2.11.0 ### If "Other Airflow 2 version" selected, which one? _No response_ ### What happened? Flask-AppBuilder prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. See CVE-2025-32962 for more details. Vulnerable version 4.5.2 is hardcoded in `providers/fab/provider.yaml`. ### What you think should happen instead? Vulnerable dependency needs to be updated. ### How to reproduce Verify the version in https://github.com/apache/airflow/blob/v2-11-stable/airflow/providers/fab/provider.yaml CVE link: https://nvd.nist.gov/vuln/detail/cve-2025-32962 ### Operating System OSX 15.5 ### Versions of Apache Airflow Providers 2.10, 2.11 ### Deployment Docker-Compose ### Deployment details _No response_ ### Anything else? _No response_ ### Are you willing to submit PR? - [ ] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
