CVE-2025-11157

NONE EPSS 16.9%
Published Jan 1, 20266mo ago · Modified Jun 17, 20262w ago
Find Similar
Published Jan 1, 2026 6mo ago
Last Modified Jun 17, 2026 2w ago

Description

A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. The vulnerability arises from the use of `yaml.load(..., Loader=yaml.Loader)` to deserialize `/var/feast/feature_store.yaml` and `/var/feast/materialization_config.yaml`. This method allows for the instantiation of arbitrary Python objects, enabling an attacker with the ability to modify these YAML files to execute OS commands on the worker pod. This vulnerability can be exploited before the configuration is validated, potentially leading to cluster takeover, data poisoning, and supply-chain sabotage.

Threat Intelligence

EPSS Exploit Probability
16.9% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-502 Deserialization of Untrusted Data Validation

References 2

  • github.com https://github.com/feast-dev/feast/commit/b2e37ff37953b68ae833f6874ab5bc510a4ca5fb
  • huntr.com https://huntr.com/bounties/46d4d585-b968-4a76-80ce-872bc5525564

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.