CVE-2025-54941

MEDIUM 4.6

Apache Airflow: Command injection in "example_dag_decorator"

CVSS Score

4.6

EPSS Score

0.0%

EPSS Percentile

0th

An example dag `example_dag_decorator` had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production (not default) or the example dag code copied to build your own similar dag. If you used the `example_dag_decorator` please review it and apply the changes implemented in Airflow 3.0.5 accordingly.

CWE	CWE-78
Vendor	apache software foundation
Product	apache airflow
Published	Oct 30, 2025
Last Updated	Feb 26, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache airflow

Be the first to know when new medium vulnerabilities affecting apache software foundation apache airflow are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Airflow

3.0.0 < < 3.0.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/c6q6nofc6xl5bms039ks9b34v0v36df1 openwall.com: http://www.openwall.com/lists/oss-security/2025/10/29/6

Credits

🔍 Nacl