CVE-2025-62402 | THREATINT

Description

API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available.

PUBLISHED Reserved 2025-10-13 | Published 2025-10-30 | Updated 2025-10-30 | Assigner apache

Problem types

CWE-250: Execution with Unnecessary Privileges

Product status

Default status

unaffected

3.0.0 (semver) before 3.1.1

affected

Credits

kwkr (https://github.com/kwkr) reporter

References

lists.apache.org/thread/vbzxnxn031wb998hsd7vqnvh4z8nx6rs vendor-advisory

cve.org (CVE-2025-62402)

nvd.nist.gov (CVE-2025-62402)

Download JSON