Plattform
python
Komponente
apache-airflow
Behoben in
3.2.0
3.2.0
CVE-2025-54550 describes a Remote Code Execution (RCE) vulnerability within Apache Airflow versions ranging from 0.0.0 to 3.2.0. This vulnerability stems from an unsafe pattern in the example_xcom example within the Airflow documentation, allowing UI users with XCom modification privileges to potentially execute arbitrary code on the worker nodes. A fix is available in Airflow 3.2.0.
An attacker exploiting this vulnerability could leverage their access to modify XComs through the Airflow UI to execute arbitrary code on the worker nodes. This could lead to complete system compromise, data exfiltration, or denial of service. The impact is particularly concerning because UI users are typically considered highly trusted within an Airflow environment, granting the attacker a significant foothold. While example DAGs are not intended for production use, organizations that have replicated this pattern in their deployments are at risk.
This vulnerability was publicly disclosed on 2026-04-15. While a public proof-of-concept is not currently available, the ease of exploitation, coupled with the trusted nature of UI users, suggests a potential for exploitation. The vulnerability has not been added to the CISA KEV catalog at the time of writing. The description indicates the vulnerability is considered low severity due to the intended use of example DAGs, but improper deployment could elevate the risk.
Organizations that have deployed Apache Airflow and are using or have previously used the example_xcom example in their custom DAGs are at risk. This includes teams that have copied and pasted code snippets from the Airflow documentation without proper security review. Shared hosting environments where multiple users have access to the Airflow UI are also particularly vulnerable.
• python / airflow: Inspect custom DAGs for instances of insecure XCom value reading patterns. Look for code that directly reads XCom values without proper sanitization or validation.
# Example of potentially vulnerable code
xcom_value = task_instance.xcom_pull(task_ids='upstream_task', key='my_key')
# ... use xcom_value without validation• python / airflow: Review Airflow worker logs for any unusual code execution or errors related to XCom processing. • python / airflow: Check Airflow UI user permissions to ensure that only authorized users have the ability to modify XComs.
disclosure
Exploit-Status
EPSS
0.06% (18% Perzentil)
The primary mitigation for CVE-2025-54550 is to upgrade to Apache Airflow version 3.2.0 or later, which includes a corrected version of the examplexcom example. If upgrading is not immediately feasible, organizations should carefully review their Airflow deployments for instances where the unsafe XCom reading pattern has been replicated. Remove or modify any custom DAGs that implement this pattern. Consider implementing stricter access controls for the Airflow UI to limit the number of users with modification privileges. After upgrading, confirm the fix by reviewing the Airflow documentation and verifying that the examplexcom example no longer contains the vulnerable code.
Aktualisieren Sie Apache Airflow auf Version 3.2.0 oder höher, um die Vulnerabilität zu mindern. Vermeiden Sie es, das unsichere Muster zum Lesen von XCom-Werten in Ihren Implementierungen zu replizieren, und befolgen Sie die Empfehlungen der aktualisierten Dokumentation.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-54550 is a Remote Code Execution vulnerability affecting Apache Airflow versions 0.0.0–3.2.0. It allows an attacker with XCom modification access to execute arbitrary code on the worker nodes.
You are affected if you are using Apache Airflow versions 0.0.0 through 3.2.0 and have replicated the insecure XCom pattern from the example_xcom example in your custom DAGs.
Upgrade Apache Airflow to version 3.2.0 or later. Review and remediate any custom DAGs that use the vulnerable XCom pattern.
There is currently no evidence of active exploitation of CVE-2025-54550.
Refer to the Apache Airflow security advisories on the Apache project website for the latest information: https://airflow.apache.org/security/
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.