Home

Description

A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. The vulnerability arises from the use of `yaml.load(..., Loader=yaml.Loader)` to deserialize `/var/feast/feature_store.yaml` and `/var/feast/materialization_config.yaml`. This method allows for the instantiation of arbitrary Python objects, enabling an attacker with the ability to modify these YAML files to execute OS commands on the worker pod. This vulnerability can be exploited before the configuration is validated, potentially leading to cluster takeover, data poisoning, and supply-chain sabotage.

PUBLISHED Reserved 2025-09-29 | Published 2026-01-01 | Updated 2026-01-01 | Assigner @huntr_ai




HIGH: 7.8CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

Any version before 0.54.0
affected

References

huntr.com/bounties/46d4d585-b968-4a76-80ce-872bc5525564

github.com/...ommit/b2e37ff37953b68ae833f6874ab5bc510a4ca5fb

cve.org (CVE-2025-11157)

nvd.nist.gov (CVE-2025-11157)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.