Login Sign Up

CVE-2024-39877

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated DAG authors in Apache Airflow to craft malicious doc_md parameters that can execute arbitrary code in the scheduler context, bypassing intended security restrictions. It affects Apache Airflow versions 2.4.0 and all versions before 2.9.3. The vulnerability enables privilege escalation from DAG author to scheduler-level code execution.

💻 Affected Systems

Products:
  • Apache Airflow
Versions: 2.4.0 and all versions before 2.9.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations where DAG authors have access to create or modify DAGs with doc_md parameters.

📦 What is this software?

Airflow by Apache

View all CVEs affecting Airflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Airflow scheduler, allowing attackers to execute arbitrary code with scheduler privileges, potentially leading to data theft, system takeover, or lateral movement within the infrastructure.

🟠

Likely Case

Authenticated DAG authors exploiting the vulnerability to gain unauthorized code execution capabilities, potentially manipulating workflows, accessing sensitive data, or disrupting operations.

🟢

If Mitigated

Limited impact if proper access controls restrict DAG author privileges and network segmentation isolates the scheduler from critical systems.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated DAG author access. The vulnerability is in parameter handling that should be sanitized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.9.3 or later

Vendor Advisory: https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1

Restart Required: Yes

Instructions:

1. Backup your Airflow configuration and DAGs. 2. Upgrade Apache Airflow to version 2.9.3 or later using pip: 'pip install --upgrade apache-airflow==2.9.3'. 3. Restart all Airflow services (scheduler, webserver, workers). 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Restrict DAG Author Access

all

Temporarily limit or audit DAG author privileges to prevent exploitation while planning upgrade.

🧯 If You Can't Patch

  • Implement strict access controls to limit who can create or modify DAGs
  • Monitor and audit all DAG modifications and scheduler activities for suspicious behavior

🔍 How to Verify

Check if Vulnerable:

Check Airflow version: if version is 2.4.0 or any version < 2.9.3, the system is vulnerable.

Check Version:

airflow version

Verify Fix Applied:

Verify Airflow version is 2.9.3 or later and test that doc_md parameter handling no longer allows code execution.

📡 Detection & Monitoring

Log Indicators:

  • Unusual scheduler process activity
  • Unexpected code execution in scheduler logs
  • Suspicious DAG modifications with doc_md parameters

Network Indicators:

  • Unusual outbound connections from scheduler process

SIEM Query:

source="airflow" AND ("doc_md" OR "scheduler execution")

📊 Metadata

CVE ID: CVE-2024-39877
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Published: July 17, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39877, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)