CVE-2025-61677
BaseFortify
Publication date: 2025-10-03
Last updated on: 2025-10-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iterative | datachain | 0.34.2 |
| iterative | datachain | 0.34.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in DataChain versions 0.34.1 and below, where the software deserializes untrusted data from environment variables such as DATACHAIN__METASTORE and DATACHAIN__WAREHOUSE. Because of this, an attacker who can set these environment variables can execute arbitrary code when the application loads. The issue is fixed in version 0.34.2.
How can this vulnerability impact me? :
If an attacker can set environment variables for the DataChain application, they can execute arbitrary code on the system when the application loads. This could lead to unauthorized actions or compromise of the system running DataChain.
What immediate steps should I take to mitigate this vulnerability?
Upgrade DataChain to version 0.34.2 or later, as this version fixes the vulnerability related to deserialization of untrusted data from environment variables. Additionally, avoid setting or allowing untrusted users to set the environment variables DATACHAIN__METASTORE and DATACHAIN__WAREHOUSE to prevent exploitation.