Primary

Context

Apache Airflow Command Injection Vulnerability in Example DAG Decorator

Vulnerability

Patched

A command injection vulnerability has been identified in the Apache Airflow example DAG named 'example_dag_decorator'. This issue arises from a non-validated parameter that allows a user to redirect the example to a malicious server and execute code on the worker. Exploitation requires that example DAGs are enabled in production, which is not the default setting, or that the example DAG code is copied to create a similar DAG. Affected versions include Apache Airflow versions greater than 3.0.0 and prior to 3.0.5.

Impact

Exploitation of this vulnerability could lead to unauthorized code execution on the Airflow worker.

Remediation

Users who have utilized the 'example_dag_decorator' should review it and apply the updates introduced in Apache Airflow version 3.0.5.

Added: Oct 30, 2025, 10:19 AM

Updated: Oct 30, 2025, 3:16 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

10.0

exploitability

5.2

remediation

7.7

relevance

0.9

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

10.0

exploitability

5.2

remediation

7.7

relevance

0.9

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Airflow Command Injection Vulnerability in Example DAG Decorator

Vulnerability

Impact

Remediation

Affected Products

Apache Airflow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating