Remote Code Execution Vulnerability in Feast by Feast Dev
CVE-2025-11157

7.8HIGH

Key Information:

Vendor: Feast-dev
Status: Feast-dev/feast
Vendor: CVE Published:; 1 January 2026

What is CVE-2025-11157?

A remote code execution vulnerability has been identified in Feast version 0.53.0, specifically within the Kubernetes materializer job. This flaw stems from improper deserialization practices using yaml.load(...), allowing potential adversaries to manipulate the feature store and materialization configuration files. If an attacker can modify these YAML files, they can execute arbitrary OS commands on the worker pod, which could lead to severe consequences such as cluster takeover, data poisoning, and even supply-chain sabotage. It is crucial for organizations utilizing this software to implement immediate security measures to mitigate this risk.

Affected Version(s)

feast-dev/feast < 0.54.0

References

https://huntr.com/bounties/46d4d585-b968-4a76-80ce-872bc5...

https://github.com/feast-dev/feast/commit/b2e37ff37953b68...

CVSS V3.0

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 1, 2026
Vulnerability Reserved
Sep 29, 2025

CVE-2025-11157 Data

JSON

Feast-dev

What is CVE-2025-11157?

Affected Version(s)

References

CVSS V3.0

Timeline