Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAH5JyZqBYne5cB=pgo38u1=67CwK8L8eVaCw9tfaTaWYbEh0Wg@mail.gmail.com>
Date: Wed, 29 Oct 2025 18:48:10 +0000
From: Kaxil Naik <kaxilnaik@...il.com>
To: oss-security@...ts.openwall.com, users@...flow.apache.org, 
	dev@...flow.apache.org
Subject: CVE-2025-54941: Apache Airflow: Command injection in "example_dag_decorator"

CVE-2025-54941: Apache Airflow: Command injection in "example_dag_decorator"

Severity: low

Affected versions:

- Apache Airflow (apache-airflow) >3.0.0, < 3.0.5

Description:

An example dag `example_dag_decorator` had non-validated parameter that
allowed the UI user to redirect the example to a malicious server and
execute code on worker. This however required that the example dags are
enabled in production (not default) or the example dag code copied to build
your own similar dag.

If you used the `example_dag_decorator` please review it and apply the
changes implemented in Airflow 3.0.5 accordingly.

Credit:

Nacl (reporter)

References:

https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-54941

Content of type "text/html" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.