CVE-2025-11157

Name of the Vulnerable Software and Affected Versions feast-dev/feast version 0.53.0

Description A high-severity remote code execution issue exists in the Kubernetes materializer job located at feast/sdk/python/feast/infra/compute engines/kubernetes/main.py. The problem stems from using yaml.load(..., Loader=yaml.Loader) to deserialize /var/feast/feature store.yaml and /var/feast/materialization config.yaml. This allows for the instantiation of arbitrary Python objects, potentially enabling an attacker who can modify these YAML files to execute OS commands on the worker pod. Exploitation occurs before configuration validation, which could lead to cluster takeover, data poisoning, and supply-chain sabotage.

Recommendations Versions prior to 0.53.0 are not affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.