chore(deps): update dependency apache-airflow-providers-http to v6 [security]#14291
Open
renovate-bot wants to merge 1 commit into
Conversation
trusted-contributions-gcf
Bot
added
kokoro:force-run
product-auto-label
Bot
added
samples
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request updates the apache-airflow-providers-http dependency to version 6.0.0 in requirements.txt. The reviewer noted that the corresponding constraints.txt file must also be updated to match this version to prevent installation and constraint conflicts.
| apache-airflow-providers-apache-beam==5.1.1 | ||
| apache-airflow-providers-slack==7.3.2 | ||
| apache-airflow-providers-http==4.4.2 | ||
| apache-airflow-providers-http==6.0.0 |
Contributor
There was a problem hiding this comment.
The dependency apache-airflow-providers-http has been updated to 6.0.0, but the corresponding constraints.txt file still references apache-airflow-providers-http==4.4.2 on line 122. Please update constraints.txt to match this version to avoid installation and constraint conflicts.
kokoro-team
removed
the
kokoro:force-run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==4.4.2→==6.0.0Apache Airflow Providers Http has Unsafe Pickle Deserializatio leading to RCE via HttpOperator
CVE-2025-69219 / GHSA-9r5j-7r2x-rv4g
More information
Details
A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low.
Users should upgrade to version 6.0.0 of the provider to avoid even that risk.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.