oss-sec mailing list archives

CVE-2025-54941: Apache Airflow: Command injection in "example_dag_decorator"

From: Kaxil Naik <kaxilnaik () gmail com>
Date: Wed, 29 Oct 2025 18:48:10 +0000

CVE-2025-54941: Apache Airflow: Command injection in "example_dag_decorator"

Severity: low

Affected versions:

- Apache Airflow (apache-airflow) >3.0.0, < 3.0.5

Description:

An example dag `example_dag_decorator` had non-validated parameter that
allowed the UI user to redirect the example to a malicious server and
execute code on worker. This however required that the example dags are
enabled in production (not default) or the example dag code copied to build
your own similar dag.

If you used the `example_dag_decorator` please review it and apply the
changes implemented in Airflow 3.0.5 accordingly.

Credit:

Nacl (reporter)

References:

https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-54941

Current thread:

CVE-2025-54941: Apache Airflow: Command injection in "example_dag_decorator" Kaxil Naik (Oct 29)