LOW 2.5
PYSEC-2026-1288
DataChain Vulnerable to Deserialization of Untrusted Data from Environment Variables
Details
The DataChain library reads serialized objects from environment variables (such as `DATACHAIN__METASTORE` and `DATACHAIN__WAREHOUSE`) in the `loader.py` module. An attacker with the ability to set these environment variables can trigger code execution when the application loads.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/iterative/datachain/security/advisories/GHSA-6px8-mr29-cj4r [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2025-61677 [ADVISORY]
- https://github.com/iterative/datachain/pull/1358 [WEB]
- https://github.com/iterative/datachain/commit/914b95610620d50c8d9bee506ccbfa7d4d57fdc0 [WEB]
- https://github.com/iterative/datachain [PACKAGE]
- https://pypi.org/project/datachain [PACKAGE]
- https://github.com/advisories/GHSA-6px8-mr29-cj4r [ADVISORY]