Description

dag-factory is a library for Apache Airflow® to construct DAGs declaratively via configuration files. In versions 0.23.0a8 and below, a high-severity vulnerability has been identified in the cicd.yml workflow within the astronomer/dag-factory GitHub repository. The workflow, specifically when triggered by pull_request_target, is susceptible to exploitation, allowing an attacker to execute arbitrary code within the GitHub Actions runner environment. This misconfiguration enables an attacker to establish a reverse shell, exfiltrate sensitive secrets, including the highly-privileged GITHUB_TOKEN, and ultimately gain full control over the repository. This is fixed in version 0.23.0a9.

INFO

Published Date :

2025-07-26T03:33:39.933Z

Last Modified :

2025-07-28T14:44:53.312Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-54415 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-54415.

URL Resource
https://github.com/astronomer/dag-factory/commit/751c0e58369e784f6a924347e381a705ea8133fe cve-icon cve-icon
https://github.com/astronomer/dag-factory/pull/460 cve-icon cve-icon
https://github.com/astronomer/dag-factory/pull/466 cve-icon cve-icon
https://github.com/astronomer/dag-factory/security/advisories/GHSA-g5hx-xv45-9whg cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability