CVE-2025-54941: 
Apache Airflow vulnerability analysis and mitigation

CVE-2025-54941 affects Apache Airflow versions >3.0.0 and <3.0.5, specifically involving the example_dag_decorator component. The vulnerability was discovered and disclosed on October 29, 2025, with a low severity rating. The issue affects Apache Airflow installations where example DAGs are enabled in production environments (which is not the default configuration) or where the example DAG code has been copied to create similar custom DAGs (Apache Mailing List, OSS Security).

The vulnerability stems from a non-validated parameter in the example_dag_decorator that could allow UI users to redirect the example to a malicious server and execute code on the worker. The issue has been assigned a CVSS v3.1 base score of 4.6 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N. It is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command Injection) (NVD).

The vulnerability could allow attackers to execute code on the worker node through the redirection of the example DAG to a malicious server. However, the impact is limited as it requires specific conditions: either example DAGs must be enabled in production (which is not the default setting) or the vulnerable example code must have been copied into a custom DAG (OSS Security).

The vulnerability has been fixed in Apache Airflow version 3.0.5. Users are advised to upgrade to this version or later. For those who have used the example_dag_decorator in their custom implementations, it is recommended to review and apply the changes implemented in Airflow 3.0.5 accordingly (NVD).