CVE-2025-54941

MEDIUM

Apache Airflow 3.0.0-3.0.5 - OS Command Injection via Example DAG Decorator

Title source: llm

Description

An example dag `example_dag_decorator` had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production (not default) or the example dag code copied to build your own similar dag. If you used the `example_dag_decorator` please review it and apply the changes implemented in Airflow 3.0.5 accordingly.

References (2)

Core 2

Core References

Mailing List, Vendor Advisory vendor-advisory

https://lists.apache.org/thread/c6q6nofc6xl5bms039ks9b34v0v36df1

Mailing List

http://www.openwall.com/lists/oss-security/2025/10/29/6

Scores

CVSS v3 4.6

EPSS 0.0013

EPSS Percentile 32.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (2)

apache/airflow 3.0.0 - 3.0.5

pypi/apache-airflow 3.0.0 - 3.0.5PyPI

Published Oct 30, 2025

Tracked Since Feb 18, 2026