CVE-2025-54941

CWE-78 — OS Command Injection4 documents4 sources

Severity

4.6MEDIUM

EPSS

0.1%

top 67.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedOct 30

Description

An example dag `example_dag_decorator` had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production (not default) or the example dag code copied to build your own similar dag. If you used the `example_dag_decorator` please review it and apply the changes implemented in Airflow 3.0.5 accordingly.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:NExploitability: 2.1 | Impact: 2.5

Affected Packages3 packages

▶NVDapache/airflow3.0.0 — 3.0.5

▶PyPIapache-airflow3.0.0 — 3.0.5

▶CVEListV5apache_software_foundation/apache_airflow3.0.0 — < 3.0.5

🔴Vulnerability Details

GHSA

Apache Airflow has a command injection vulnerability in "example_dag_decorator"↗2025-10-30

▶

OSV

Apache Airflow has a command injection vulnerability in "example_dag_decorator"↗2025-10-30

▶

CVEList

Apache Airflow: Command injection in "example_dag_decorator"↗2025-10-30

▶