Feasting on YAML: How a Feature Store Configuration Became a Remote Code Execution Nightmare

Amit Schendel

Senior Security Researcher

Jan 2, 2026·5 min read·1 visit

PoC Available

Executive Summary (TL;DR)

Feast <= 0.53.0 uses the unsafe `yaml.load()` method in its Kubernetes materializer component. This allows an attacker who can modify the materialization job's configuration (via Kubernetes ConfigMaps) to inject Python objects that execute code upon deserialization. The fix is a one-line change to `yaml.safe_load()` in version 0.54.0.

A high-severity deserialization vulnerability in the Feast machine learning feature store allows attackers with access to Kubernetes ConfigMaps to execute arbitrary code via malicious YAML tags.

Attack Flow Diagram

Official Patches

FeastGitHub Commit fixing the deserialization issue

Fix Analysis (1)

Technical Appendix

CVSS Score

7.8/ 10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.28%

Top 88% most exploited

Affected Systems

Feast Feature Store (Python SDK)Kubernetes Clusters running Feast Materializers

Affected Versions Detail

Product	Affected Versions	Fixed Version
feast Feast	<= 0.53.0	0.54.0

Attribute	Detail
CWE ID	CWE-502 (Deserialization of Untrusted Data)
CVSS Score	7.8 (High)
Attack Vector	Local / Config Injection
Library	PyYAML
Function	yaml.load(Loader=yaml.Loader)
EPSS Score	0.00278

MITRE ATT&CK Mapping

T1059Command and Scripting Interpreter

Execution

T1562Impair Defenses

Defense Evasion

T1070Indicator Removal

Defense Evasion

CWE-502

Deserialization of Untrusted Data

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Known Exploits & Detection

HypotheticalExploit involves injecting standard PyYAML RCE payloads into Kubernetes ConfigMaps.

Vulnerability Timeline

Patch committed to main branch

2025-01-15

Feast 0.54.0 Released

2025-01-20