Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN751
_____________________________________________________________________

DATE                : 30/10/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow versions prior to
                                      3.1.1.

=====================================================================
https://lists.apache.org/thread/w6vsp9j8s1pz15k42s3l4wlstoo2bqv6
https://lists.apache.org/thread/3v58249qscyn1hg240gh8hqg9pb4okcr
https://lists.apache.org/thread/ov923dyccwbv01v9mhcv7t7ykzobycfo
_____________________________________________________________________


CVE-2025-54941: Apache Airflow: Command injection in "example_dag_decorator"
CVE-2025-54941: Apache Airflow: Command injection in "example_dag_decorator"

Severity: low

Affected versions:

- Apache Airflow (apache-airflow) >3.0.0, < 3.0.5

Description:

An example dag `example_dag_decorator` had non-validated parameter
that allowed the UI user to redirect the example to a malicious
server and execute code on worker. This however required that the
example dags are enabled in production (not default) or the example
dag code copied to build your own similar dag.

If you used the `example_dag_decorator` please review it and apply
the changes implemented in Airflow 3.0.5 accordingly.


Credit:

Nacl (reporter)


References:

https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-54941


_____________________________________________________________________

CVE-2025-62402: Apache Airflow: Airflow 3 API: /api/v2/dagReports
executes DAG Python in API

Severity: moderate

Affected versions:

- Apache Airflow (apache-airflow) >=3.0.0,<3.1.1

Description:

API users via `/api/v2/dagReports` could perform Dag code execution
in the context of the api-server if the api-server was deployed in
the environment where Dag files were available.


Credit:

kwkr (https://github.com/kwkr) (reporter)


References:

https://lists.apache.org/thread/vbzxnxn031wb998hsd7vqnvh4z8nx6rs
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-62402

_____________________________________________________________________

CVE-2025-62503: Apache Airflow: Privilege boundary bypass in bulk
APIs (create action can upsert existing Pools/Connections/Variables)

Severity: low

Affected versions:

- Apache Airflow (apache-airflow> 3.0.0, < 3.1.1) 3.0.0 before 3.1.1


Description:

User with CREATE and no UPDATE privilege for Pools, Connections,
Variables could update existing records via bulk create API with
overwrite action.


Credit:

Maciej Kawka (finder)


References:

https://lists.apache.org/thread/3v58249qscyn1hg240gh8hqg9pb4okcr
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-62503

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================