CVE-2025-61677 LOW

CVE-2025-61677: DataChain: Deserialization of Untrusted Data from Environment Variables

Vendor Iterative

Product datachain

Weakness CWE-502 · Unsafe deserialization

Published October 3, 2025

Last update October 6, 2025

View on NVD All CVEs

CVSS base score

2.5/10

Attack vector Local

Attack complexity High

Privileges required Low

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

DataChain is a Python-based AI-data warehouse for transforming and analyzing unstructured data. Versions 0.34.1 and below allow for deseriaization of untrusted data because of the way the DataChain library reads serialized objects from environment variables (such as DATACHAIN__METASTORE and DATACHAIN__WAREHOUSE) in the loader.py module. An attacker with the ability to set these environment variables can trigger code execution when the application loads. This issue is fixed in version 0.34.2.

Key dates

02Disclosure timeline

October 3, 2025 CVE published

October 6, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-61677

Related vulnerabilities

CVE-2025-61677: DataChain: Deserialization of Untrusted Data from Environment Variables

01Description

02Disclosure timeline

03References

04Related CVE