Parameter Validation Issue in Apache Airflow Affects Custom DAGs
CVE-2025-54941

4.6MEDIUM

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 30 October 2025

What is CVE-2025-54941?

A vulnerability in Apache Airflow's example_dag_decorator allows for parameter manipulation, potentially leading to unauthorized redirection of users to malicious servers and executing arbitrary code on worker nodes. This issue arises when example DAGs are enabled in production or their code is replicated for custom use. Users who leverage the example_dag_decorator should carefully review their implementation and apply the mitigation measures as outlined in Airflow version 3.0.5.

Affected Version(s)

Apache Airflow 3.0.0

References

https://lists.apache.org/thread/c6q6nofc6xl5bms039ks9b34v...

vendor-advisory

CVSS V3.1

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 30, 2025
Vulnerability Reserved
Aug 1, 2025

Credit

Nacl

JSON