CVE-2026-56121
🟠 Łataj w tym tygodniu
Niebezpieczna deserializacja w Feast umożliwia zdalne wykonanie kodu przez atakujących.
CVSS
9.8
EPSS
0.8%
Exploit
none
Vendor
Opis źródłowy (NVD)
Feast before 0.63.0 contains an unsafe deserialization vulnerability that allows unauthenticated or unauthorized attackers to achieve remote code execution by sending a crafted gRPC request to the registry server. The user_defined_function.body field of an OnDemandFeatureView spec is decoded from base64 and passed to dill.loads() before any authorization check is performed, enabling attackers to embed a malicious serialized Python object with an arbitrary __reduce__ method to execute OS commands as the feast service account.
deserialization rce
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.8% |
| Opublikowano (NVD) | 2026-06-24 16:16:33 UTC |
| Ostatnia modyfikacja (NVD) | 2026-06-26 05:16:31 UTC |
Referencje
- https://github.com/feast-dev/feast/commit/835cda8e2c1359f1f496ad72701dbd6a73bdb25a (disclosure@vulncheck.com)
- https://github.com/feast-dev/feast/releases/tag/v0.63.0 (disclosure@vulncheck.com)
- https://huntr.com/bounties/d64b8111-180b-46ba-afa3-c877fda2ede6 (disclosure@vulncheck.com)
- https://www.vulncheck.com/advisories/feast-unauthenticated-rce-via-applyfeatureview-grpc-deserialization (disclosure@vulncheck.com)