CVE-2025-62402

CWE-2504 documents4 sources

Severity

5.4MEDIUM

EPSS

0.3%

top 46.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Airflow Apache Airflow

Timeline

PublishedOct 30

Description

API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

▶NVDapache/airflow3.0.0 — 3.1.1

▶PyPIapache-airflow3.0.0 — 3.1.1

▶CVEListV5apache_software_foundation/apache_airflow3.0.0 — 3.1.1

🔴Vulnerability Details

OSV

Apache Airflow `/api/v2/dagReports` executes DAG Python in API↗2025-10-30

▶

CVEList

Apache Airflow: Airflow 3 API: /api/v2/dagReports executes DAG Python in API↗2025-10-30

▶

GHSA

Apache Airflow `/api/v2/dagReports` executes DAG Python in API↗2025-10-30

▶