In Nepal, reliable electricity was never a given. For families like Anish Giri’s, considered middle class by local standards, they had enough to get by but had limited resources beyond everyday necessities due to chronic power cuts. Government-imposed loadshedding often stretched up to 18 hours a day, leaving homes in darkness far longer than they were lit. Despite this, Giri developed the technical skills and experience over time that helped him build a career in software engineering.
His contribution was documented through vulnerability records maintained by NIST and is reflected in Apache Airflow 3.2.0, making it available to organizations that adopt that version. The Apache Software Foundation provided a platform for contributing to it. NIST formally indexed the result.
CVE-2025-57735 exposed a critical flaw in Apache Airflow’s session management: JSON Web Tokens (JWTs) remained valid even after a user logged out. If intercepted, these tokens could be reused until their natural expiration, effectively undermining a core security control. On a platform used by a wide range of organizations, including some Fortune 500 companies, the issue posed potential operational and security risks, including access control and system management concerns. Giri contributed the fix, addressing an issue that had previously left some of the world’s most critical data infrastructure exposed.
Giri developed an implementation that introduced a dedicated database table to record token identifiers upon user logout. Every subsequent request is checked against that list. If the identifier appears, access is denied regardless of the token’s cryptographic validity. The work spanned about 3,600 code changes across Airflow’s security layer, database system, and API infrastructure. Following coordinated disclosure practices, the patch was released before vulnerability details were made public, giving organizations a window to upgrade before the specifics became widely known, and only upgrading to version 3.2.0 would fully resolve the issue.
Many organizations running Airflow may eventually upgrade to version 3.2.0 as part of their normal software maintenance cycles, never knowing the name of the person who made their systems safer. The work is in the code. And the contribution remains documented in the Apache Airflow project history.
Apache Airflow began at Airbnb in 2014 as a solution to manage increasingly complex workflows. From the beginning, the project was made open source, entering the Apache Incubator in 2016 and becoming a top-level Apache Software Foundation project in 2019. What started as one company’s internal tool became an important component of many modern data workflows.
According to VentureBeat, in 2025, Airflow is now the de facto tool for data engineering and has been adopted by Fortune 500 companies. Recently, it has accumulated over 44,000 GitHub stars, a Slack community of more than 40,000 members, and more than 30 million monthly downloads. The companies running it span every sector: financial services, healthcare, logistics, media, retail, and technology.
The security implications follow directly from the scope. Airflow doesn’t just move data; it moves the decisions that data powers. When a session token persists after logout in this environment, it is not an abstract vulnerability. It is an open door into the systems that determine what a Fortune 500 company does next.
Giri helped address the issue by contributing a fix, building the server-side mechanism that Apache Airflow had never had: a revocation list that blocks a JWT token the moment its user logs out. The solution, shipped in Airflow 3.2.0, is designed to add logged-out tokens to a blocklist, allowing them to be rejected on subsequent requests. The implementation is documented in GitHub Pull Request #61339, a public record of exactly what was built, how, and why.
The significance of what followed is worth pausing on. NIST, the National Institute of Standards and Technology, a United States federal agency that sets the benchmarks by which the security industry measures itself, formally indexed the vulnerability and its remediation in the National Vulnerability Database. The CVE is registered with both MITRE and NVD, two widely recognized sources used for vulnerability tracking and reporting. When a fix receives that level of recognition, it becomes part of publicly documented vulnerability records that many security teams and organizations reference.
The security industry’s verdict on the severity of CVE-2025-57735 is unambiguous. Tenable, one of the world’s leading vulnerability management platforms, rates CVE-2025-57735 as critical, with a CVSS v3 base score of 9.1. When Tenable indexes a vulnerability, it becomes available through the company’s vulnerability management and detection resources.
He learned to work in the dark. As it turns out, that is not a bad preparation for security engineering.
References:
Our editors independently choose our recommendations. Some content is produced with paid support from a third party, however our editorial decisions remain independent. If you buy through our links, the USA TODAY Network may earn a commission. Prices and availability may change.
The Software Engineer Who Contributed a Fix for an Apache Airflow Vulnerability Used by Some Fortune 500 Companies – USA Today
Home
Technology
The Software Engineer Who Contributed a Fix for an Apache Airflow Vulnerability Used by Some Fortune 500 Companies – USA Today
Leave a Reply