diff --git a/setup.py b/setup.py
index ad30baacd10be..c826e3eb828bd 100644
--- a/setup.py
+++ b/setup.py
@@ -353,7 +353,13 @@ def write_version(filename: str = str(AIRFLOW_SOURCES_ROOT / "airflow" / "git_ve
 ]
 leveldb = ["plyvel"]
 otel = ["opentelemetry-exporter-prometheus"]
-pandas = ["pandas>=0.17.1", "pyarrow>=9.0.0"]
+pandas = [
+    "pandas>=0.17.1",
+    # Use pyarrow-hotfix to fix https://nvd.nist.gov/vuln/detail/CVE-2023-47248.
+    # We should remove it once Apache Beam frees us to upgrade to pyarrow 14.0.1
+    "pyarrow-hotfix",
+    "pyarrow>=9.0.0",
+]
 password = [
     "bcrypt>=2.0.0",
     "flask-bcrypt>=0.7.1",