Vulnerability Description
A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. The vulnerability arises from the use of `yaml.load(..., Loader=yaml.Loader)` to deserialize `/var/feast/feature_store.yaml` and `/var/feast/materialization_config.yaml`. This method allows for the instantiation of arbitrary Python objects, enabling an attacker with the ability to modify these YAML files to execute OS commands on the worker pod. This vulnerability can be exploited before the configuration is validated, potentially leading to cluster takeover, data poisoning, and supply-chain sabotage.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/feast-dev/feast/commit/b2e37ff37953b68ae833f6874ab5bc510a4ca5
- https://huntr.com/bounties/46d4d585-b968-4a76-80ce-872bc5525564
FAQ
What is CVE-2025-11157?
CVE-2025-11157 is a vulnerability with a CVSS score of 7.8 (HIGH). A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/k...
How severe is CVE-2025-11157?
CVE-2025-11157 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-11157?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.