CVE-2025-54415
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-26

Last updated on: 2025-07-29

Assigner: GitHub, Inc.

Description
dag-factory is a library for Apache Airflow® to construct DAGs declaratively via configuration files. In versions 0.23.0a8 and below, a high-severity vulnerability has been identified in the cicd.yml workflow within the astronomer/dag-factory GitHub repository. The workflow, specifically when triggered by pull_request_target, is susceptible to exploitation, allowing an attacker to execute arbitrary code within the GitHub Actions runner environment. This misconfiguration enables an attacker to establish a reverse shell, exfiltrate sensitive secrets, including the highly-privileged GITHUB_TOKEN, and ultimately gain full control over the repository. This is fixed in version 0.23.0a9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-26
Last Modified
2025-07-29
Generated
2026-05-07
AI Q&A
2025-07-26
EPSS Evaluated
2026-05-05
NVD
CVE-2025-54415
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
astronomer dag-factory 0.23.0
astronomer dag-factory *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-54415 is a high-severity vulnerability in the cicd.yml GitHub Actions workflow of the astronomer/dag-factory repository. The vulnerability arises because the workflow uses the pull_request_target trigger, which allows an attacker to execute arbitrary code within the GitHub Actions runner environment. This misconfiguration enables an attacker to establish a reverse shell, steal sensitive secrets including the highly privileged GITHUB_TOKEN, and gain full control over the repository. [1]


How can this vulnerability impact me? :

If exploited, this vulnerability can lead to complete takeover of the repository. An attacker can modify repository content, create or alter releases and tags, manipulate workflows, steal all repository secrets, and execute arbitrary commands on the GitHub Actions runner. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by reviewing the GitHub Actions workflows in your repository, specifically checking if the cicd.yml workflow uses the pull_request_target trigger. Look for the presence of the vulnerable trigger in the .github/workflows/cicd.yml file. You can use commands like `grep -r 'pull_request_target' .github/workflows/` to find usage of this trigger. Additionally, check if the repository is running GitHub Actions on forks, which can be abused. Monitoring for unexpected or unauthorized workflow runs triggered by pull_request_target events from forks can also help detect exploitation attempts. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include disabling GitHub Actions on forked repositories to prevent unauthorized workflow execution, removing or modifying the pull_request_target trigger in the cicd.yml workflow to use safer triggers such as pull_request, and implementing strict input validation for any untrusted inputs in workflows. It is also recommended to restrict the permissions of the GITHUB_TOKEN to read-only at the organization, repository, or workflow level. Upgrading to version 0.23.0a9 or later, which contains the fix, is advised. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart