CVE-2025-11157 HIGH

CVE-2025-11157: Arbitrary Code Execution in feast-dev/feast

Vendor Feast-Dev
Product feast-dev/feast
Weakness CWE-502 · Unsafe deserialization
Published January 1, 2026
Last update June 30, 2026
View on NVD All CVEs

CVSS base score

7.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. The vulnerability arises from the use of `yaml.load(..., Loader=yaml.Loader)` to deserialize `/var/feast/feature_store.yaml` and `/var/feast/materialization_config.yaml`. This method allows for the instantiation of arbitrary Python objects, enabling an attacker with the ability to modify these YAML files to execute OS commands on the worker pod. This vulnerability can be exploited before the configuration is validated, potentially leading to cluster takeover, data poisoning, and supply-chain sabotage.

Key dates

02Disclosure timeline

January 1, 2026 CVE published
June 30, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-40044 Pachno 1.0.6 FileCache Deserialization Remote Code Execution CVE-2021-44228 Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints CVE-2025-53465 WordPress GSheets Connector Plugin <= 1.1.1 - PHP Object Injection Vulnerability CVE-2026-33454 Apache Camel: Inbound Header Filter Missing in MailHeaderFilterStrategy Allows Remote Code Execution via MIME Header Injection (CVE-2025-30177 Variant) CVE-2025-12099 Academy LMS – WordPress LMS Plugin for Complete eLearning Solution <= 3.3.8 - Authenticated (Administrator+) PHP Object Injection via 'import_all_courses'