CVE-2025-54550
Received Received - Intake
Arbitrary Code Execution via Unsafe XCom Usage in Airflow Example

Publication date: 2026-04-15

Last updated on: 2026-04-17

Assigner: Apache Software Foundation

Description
The example example_xcomΒ that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of code on the worker. Since the UI users are already highly trusted, this is a Low severity vulnerability. It does not affect Airflow release - example_dags are not supposed to be enabled in production environment, however users following the example could replicate the bad pattern. Documentation of Airflow 3.2.0 contains version of the example with improved resiliance for that case. Users who followed that pattern are advised to adjust their implementations accordingly.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-14
NVD
CVE-2025-54550
EUVD
EUVD-2025-209465
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache airflow to 3.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-54550 is a low severity vulnerability in Apache Airflow's example_xcom component, which is part of the example DAGs included in Airflow documentation. The issue arises from an unsafe pattern of reading values from XComs that could be exploited by a UI user who has permission to modify XComs to execute arbitrary code on the worker. Since UI users are already highly trusted, the risk is considered low. The vulnerability does not affect official Airflow releases because example DAGs are not intended for production use.

The vulnerability was addressed by improving the handling of escaping within example_xcom to prevent improper processing or injection risks, as implemented in a patch merged in March 2026.

Impact Analysis

If you use the example_xcom DAG pattern from Airflow documentation in a production environment and allow UI users to modify XComs, this vulnerability could allow those users to execute arbitrary code on the worker. This could lead to unauthorized code execution within your Airflow environment.

However, since UI users are typically highly trusted and example DAGs are not meant for production, the practical impact is limited. Users who have replicated this unsafe pattern are advised to update their implementations to the improved version provided in Airflow 3.2.0 documentation.

Detection Guidance

This vulnerability arises from an unsafe pattern in the example_xcom DAG where values are read from XComs in a way that allows arbitrary code execution if a UI user can modify XComs. Detection involves identifying if your Airflow environment is running the vulnerable example_xcom DAG or any similar custom DAGs that replicate this unsafe pattern.

Since the vulnerability is related to code patterns in DAGs rather than network traffic or system-level indicators, detection should focus on reviewing your Airflow DAGs for unsafe XCom usage.

Suggested commands or steps include:

  • List all DAGs and check if example_xcom or similar DAGs are enabled: `airflow dags list`
  • Inspect the DAG files for unsafe XCom reading patterns, especially code that reads values from XComs without proper validation or escaping.
  • Search for usage of example_xcom in your DAGs directory: `grep -r example_xcom /path/to/your/dags/`
  • Review Airflow UI permissions to ensure that only trusted users have the ability to modify XComs.
Mitigation Strategies

Immediate mitigation steps include:

  • Do not enable or run the example_xcom DAG in production environments, as it contains the unsafe pattern.
  • If you have implemented DAGs following the example_xcom pattern, update your code to use the improved, safer version included in Airflow 3.2.0 documentation.
  • Apply the patch from Pull Request #63200 which fixes escaping issues in example_xcom, available in Airflow 3.1.9 and later.
  • Restrict UI user permissions to limit who can modify XComs, ensuring only highly trusted users have such access.
  • Review and audit your DAGs for unsafe XCom usage patterns and refactor them to handle XCom data safely.
Compliance Impact

This vulnerability is a low severity issue related to an unsafe pattern in example_xcom that could allow arbitrary code execution by a UI user with permission to modify XComs. However, since example DAGs are not intended for production use and the vulnerability does not affect official Airflow releases, it poses minimal direct risk in compliant production environments.

Because the vulnerability involves potential arbitrary code execution, if replicated in a production environment, it could theoretically impact the security controls required by standards like GDPR or HIPAA by allowing unauthorized code execution on workers. However, the vulnerability itself is mitigated by the fact that the example is not used in production and has been fixed in Airflow 3.2.0.

Users following the example pattern are advised to update their implementations to avoid introducing this risk, thereby maintaining compliance with security best practices required by such regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-54550. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart