CVE-2025-11157

HIGH 7.8

Arbitrary Code Execution in feast-dev/feast

CVSS Score

7.8

EPSS Score

0.0%

EPSS Percentile

0th

A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. The vulnerability arises from the use of `yaml.load(..., Loader=yaml.Loader)` to deserialize `/var/feast/feature_store.yaml` and `/var/feast/materialization_config.yaml`. This method allows for the instantiation of arbitrary Python objects, enabling an attacker with the ability to modify these YAML files to execute OS commands on the worker pod. This vulnerability can be exploited before the configuration is validated, potentially leading to cluster takeover, data poisoning, and supply-chain sabotage.

CWE	CWE-502
Vendor	feast-dev
Product	feast-dev/feast
Published	Jan 1, 2026
Last Updated	Jun 30, 2026

Stay Ahead of the Next One

Get instant alerts for feast-dev feast-dev/feast

Be the first to know when new high vulnerabilities affecting feast-dev feast-dev/feast are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Versions

feast-dev / feast-dev/feast

unspecified < 0.54.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

huntr.com: https://huntr.com/bounties/46d4d585-b968-4a76-80ce-872bc5525564 github.com: https://github.com/feast-dev/feast/commit/b2e37ff37953b68ae833f6874ab5bc510a4ca5fb access.redhat.com: https://access.redhat.com/security/cve/CVE-2025-11157 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2426574 security.access.redhat.com: https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-11157.json access.redhat.com: https://access.redhat.com/errata/RHSA-2026:10184