BIT-airflow-2025-54941

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/airflow/BIT-airflow-2025-54941.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-airflow-2025-54941

Aliases

Published

2025-11-06T12:52:52.554Z

Modified

2025-11-06T13:59:43.936843Z

Summary

Apache Airflow: Command injection in "example_dag_decorator"

Details

An example dag example_dag_decorator had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production (not default) or the example dag code copied to build your own similar dag. If you used the example_dag_decorator please review it and apply the changes implemented in Airflow 3.0.5 accordingly.

Database specific

{
    "severity": "Medium",
    "cpes": [
        "cpe:2.3:a:apache:airflow:*:*:*:*:*:python:*:*"
    ]
}

References

Affected packages

Bitnami / airflow

Package

Name: airflow
Purl: pkg:bitnami/airflow

Severity

4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

3.0.0

Fixed

3.0.5

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/airflow/BIT-airflow-2025-54941.json"