CVE-2022-43982 - How XSS Sneaked Into Apache Airflow’s “Trigger DAG with Config” Screen

With Apache Airflow powering complex data pipelines for thousands of companies, any security flaw in it can ripple across the data world. CVE-2022-43982 is a serious XSS (Cross-Site Scripting) vulnerability discovered in Airflow versions prior to 2.4.2. The attack vector was anyone with access to the “Trigger DAG with config” screen. The cause? A subtle mishandling of the origin query parameter.

This post breaks down the vulnerability in simple terms and shows you exactly how it worked—including proof-of-concept code and how to stay safe.

What is CVE-2022-43982?

CVE-2022-43982 was filed after it was discovered that the origin query argument in certain Airflow web routes was not properly sanitized, allowing malicious actors to inject JavaScript code. If an attacker tricked you into clicking a specially crafted link, that code could run in your browser, snatch your session, or escalate privileges.

Official Advisory

- Apache Airflow Security Advisory
- NVD Record

Understanding the Attack: Why Was "Origin" So Dangerous?

When you trigger a DAG (Directed Acyclic Graph) manually in Airflow, you can use a config form. That page’s URL could include an origin parameter, intended to track where you came from so Airflow could redirect you afterwards.

But: If origin included unsanitized HTML or JavaScript, it would end up directly inside the rendered web page, opening the door for XSS attacks.

Imagine if someone sends you a link like

/trigger?dag_id=example_dag&origin=<script>alert('XSS!')</script>

If the web application just injected origin into the HTML page without filtering out scripts, that JavaScript runs immediately when you land there. That’s a classic XSS attack.

Proof of Concept: How to Exploit CVE-2022-43982

Suppose you are running an old vulnerable Airflow and you have access to its web UI.

Craft the Malicious Link:

https://your-airflow-host.com/trigger?dag_id=example_dag&origin=%3Cscript%3Ealert('Hacked!')%3C/script%3E

(The %3C and %3E are < and > in URL encoding.)

Send the Link to a Victim:

When the victim (an authenticated Airflow user) clicks on it, their browser will execute alert('Hacked!')—or, in a real attack, something more sinister such as cookie stealing.

At the heart of this flaw was Jinja2-based template code like this (simplified)

# Vulnerable view function (simplified)
origin = request.args.get('origin')
return render_template('trigger.html', origin=origin)

And in the Jinja2 template

<!-- vulnerable snippet (trigger.html) -->
<a href="{{ origin }}">Go back</a>

Jinja2 by default escapes variables, but in some Airflow versions, it could be rendered without escaping, or templates could include |safe filter, like:

<a href="{{ origin|safe }}">Go back</a>

This bypasses the escaping and renders raw HTML—leading to XSS.

Ensuring all template variables containing untrusted data are properly escaped.

The relevant patch is here:  
https://github.com/apache/airflow/pull/26926/files

In patched templates, direct use of unsafe variables is avoided, and the origin parameter is strict-checked or ignored unless safe.

Cross-Site Scripting risks include

- Account/session theft

Privilege escalation

Attackers often use XSS to take over admin accounts, drop malware, or pivot further into your network.

Conclusion

CVE-2022-43982 is a sharp reminder: even trusted, mature frameworks like Airflow can trip up on web security basics. Never underestimate the “humble” query string parameter! If you use Airflow, review your instance and patch promptly.

References

- Apache Airflow Security Release Notes
- NVD Database for CVE-2022-43982
- GitHub Pull Request for the Fix

Timeline

Published on: 11/02/2022 12:15:00 UTC
Last modified on: 11/03/2022 13:52:00 UTC