Home > Vulnerability Database > CVE-2025-54941

Mend.io Vulnerability Database

CVE-2025-54941

Good to know:

Date: October 30, 2025

An example dag "example_dag_decorator" had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production (not default) or the example dag code copied to build your own similar dag. If you used the "example_dag_decorator" please review it and apply the changes implemented in Airflow 3.0.5 accordingly.

Severity Score

4.6

Related Resources (6)

Url: http://www.openwall.com/lists/oss-security/2025/10/29/6

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-54941

Url: https://seclists.org/oss-sec/2025/q4/99

Url: https://github.com/apache/airflow

Url: https://lists.apache.org/thread/c6q6nofc6xl5bms039ks9b34v0v36df1

Url: https://www.mend.io/vulnerability-database/CVE-2025-54941

Severity Score

4.6

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

Top Fix

Upgrade Version

Upgrade to version apache-airflow-core - 3.0.5;apache-airflow-core - 3.0.5;apache-airflow - 3.0.5;https://github.com/apache/airflow.git - 3.0.5

Learn More

CVSS v3.1

Base Score:	4.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-54941

Good to know:

Date: October 30, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?