Denial of Service Vulnerability in DataChain by Iterative
CVE-2025-61677

2.5LOW

Key Information:

Vendor

Iterative

Status
Datachain
Vendor
CVE Published:
3 October 2025

What is CVE-2025-61677?

The DataChain library, a Python-based AI data warehouse, is susceptible to a vulnerability that allows an attacker to execute arbitrary code through deserialization of untrusted data. This occurs due to the library's handling of serialized objects from environment variables like DATACHAIN__METASTORE and DATACHAIN__WAREHOUSE in its loader.py module. By manipulating these environment variables, an attacker can initiate code execution when the application loads, posing significant security risks. The issue is resolved in version 0.34.2, making it crucial for users to upgrade to the latest version to ensure their systems remain secure.

Affected Version(s)

datachain < 0.34.2

References

https://github.com/iterative/datachain/security/advisorie...
x_refsource_CONFIRM
https://github.com/iterative/datachain/pull/1358
x_refsource_MISC
https://github.com/iterative/datachain/commit/914b9561062...
x_refsource_MISC

CVSS V3.1

Score:
2.5
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-61677 : Denial of Service Vulnerability in DataChain by Iterative