PatchSiren cyber security CVE debrief
CVE-2025-11157 feast-dev CVE debrief
CVE-2025-11157 is a high-severity remote code execution vulnerability in feast-dev/feast version 0.53.0. The vulnerability exists in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. An attacker can exploit this vulnerability by modifying YAML files to execute OS commands on the worker pod, potentially leading to cluster takeover, data poisoning, and supply-chain sabotage. The vulnerability has a CVSS score of 7.8 and is classified as HIGH. The CVE was published on January 1, 2026, and last modified on June 30, 2026.
- Vendor
- feast-dev
- Product
- feast-dev/feast
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-01
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-01-01
- Advisory updated
- 2026-06-30
Who should care
Organizations using feast-dev/feast version 0.53.0 should be aware of this vulnerability and take immediate action to mitigate it. This vulnerability can be exploited remotely, and an attacker can execute OS commands on the worker pod, potentially leading to cluster takeover, data poisoning, and supply-chain sabotage. Security teams and administrators responsible for Kubernetes deployments should prioritize patching this vulnerability.
Technical summary
The vulnerability arises from the use of `yaml.load(..., Loader=yaml.Loader)` to deserialize `/var/feast/feature_store.yaml` and `/var/feast/materialization_config.yaml`. This method allows for the instantiation of arbitrary Python objects, enabling an attacker with the ability to modify these YAML files to execute OS commands on the worker pod. The vulnerability can be exploited before the configuration is validated, potentially leading to cluster takeover, data poisoning, and supply-chain sabotage. The CVSS vector for this vulnerability is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Defensive priority
This vulnerability has a high CVSS score of 7.8 and is classified as HIGH. Organizations should prioritize patching this vulnerability to prevent potential exploitation.
Recommended defensive actions
- Apply the patch from the feast-dev/feast repository to update the Kubernetes materializer job.
- Restrict access to YAML files to prevent unauthorized modifications.
- Implement additional security measures, such as validating YAML files before deserialization.
- Monitor Kubernetes deployments for suspicious activity.
- Consider implementing compensating controls, such as network segmentation or intrusion detection systems.
Evidence notes
The CVE-2025-11157 vulnerability was reported by [email protected] and has been documented in various sources, including the NVD and Red Hat security advisories. The vulnerability affects feast-dev/feast version 0.53.0 and has a CVSS score of 7.8.
Official resources
-
CVE-2025-11157 CVE record
CVE.org
-
CVE-2025-11157 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
- Source reference
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article was generated with AI assistance based on the supplied source corpus.