CVE-2025-62402
MEDIUM5.4EPSS 0.45%Apache Airflow: Airflow 3 API: /api/v2/dagReports executes DAG Python in API
發布日:2025/10/30修改日:2025/11/6
描述
API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available.
受影響套件(2)
- Bitnami/airflow>= 3.0.0, < 3.1.1
- PyPI/apache-airflow>= 3.0.0, < 3.1.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-62402
- PATCHhttps://github.com/apache/airflow
- WEBhttps://github.com/apache/airflow/commit/828aaa0b1d95caf90612a648867c17aec7e87874
- WEBhttps://github.com/apache/airflow/pull/56609
- WEBhttps://lists.apache.org/thread/vbzxnxn031wb998hsd7vqnvh4z8nx6rs
- WEBhttp://www.openwall.com/lists/oss-security/2025/10/29/7