Redshift Python Connector 2.1.x SSL cert bypass via BrowserAzureOAuth2
CVE-2025-5279 Published on May 27, 2025
Issue with Amazon Redshift Python Connector and the BrowserAzureOAuth2CredentialsProvider plugin
When the Amazon Redshift Python Connector is configured with the BrowserAzureOAuth2CredentialsProvider plugin, the driver skips the SSL certificate validation step for the Identity Provider. An insecure connection could allow an actor to intercept the token exchange process and retrieve an access token.
This issue has been addressed in driver version 2.1.7. Users should upgrade to address this issue and ensure any forked or derivative code is patched to incorporate the new fixes.
Weakness Type
Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.
Products Associated with CVE-2025-5279
Want to know whenever a new CVE is published for Amazon Aws? stack.watch will email you.
Affected Versions
Amazon Redshift:- Version 2.0.872 and below 2.1.7 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2025-5279
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| pip | redshift-connector | >= 2.0.872, <= 2.1.6 | 2.1.7 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.