CVE-2025-62402
MEDIUM5.4EPSS 0.45%Apache Airflow: Airflow 3 API: /api/v2/dagReports executes DAG Python in API
Published: 10/30/2025Modified: 11/6/2025
Description
API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available.
Affected packages (2)
- Bitnami/airflow>= 3.0.0, < 3.1.1
- PyPI/apache-airflow>= 3.0.0, < 3.1.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-62402
- PATCHhttps://github.com/apache/airflow
- WEBhttps://github.com/apache/airflow/commit/828aaa0b1d95caf90612a648867c17aec7e87874
- WEBhttps://github.com/apache/airflow/pull/56609
- WEBhttps://lists.apache.org/thread/vbzxnxn031wb998hsd7vqnvh4z8nx6rs
- WEBhttp://www.openwall.com/lists/oss-security/2025/10/29/7