CVE-2025-54941

MEDIUM

Apache Airflow < 3.0.5 - OS Command Injection

Title source: rule

Description

An example dag `example_dag_decorator` had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production (not default) or the example dag code copied to build your own similar dag. If you used the `example_dag_decorator` please review it and apply the changes implemented in Airflow 3.0.5 accordingly.

References (2)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/c6q6nofc6xl5bms039ks9b34v0v36df1

[Mailing List] http://www.openwall.com/lists/oss-security/2025/10/29/6

Scores

CVSS v3 4.6

EPSS 0.0014

EPSS Percentile 33.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Classification

CWE

CWE-78

Status published

Affected Products (2)

apache/airflow < 3.0.5

pypi/apache-airflow < 3.0.5PyPI

Timeline

Published Oct 30, 2025

Tracked Since Feb 18, 2026