CVE-2025-54941

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-54941

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54941.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-54941

Aliases

Published

2025-10-30T10:15:35.530Z

Modified

2026-03-13T03:36:57.514996Z

Severity

4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

An example dag example_dag_decorator had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production (not default) or the example dag code copied to build your own similar dag. If you used the example_dag_decorator please review it and apply the changes implemented in Airflow 3.0.5 accordingly.

References

Affected packages

Git / github.com/apache/airflow

Affected ranges

Type

GIT

Repo

https://github.com/apache/airflow

Events

Introduced

1fc3442f1307fdf5e1221b26f41266c4fed330d3

Fixed

2e82233adeee19bdfeb9b5ad8916df2090f0a00e

Database specific

{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.0.5"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54941.json"