Low severity2.5OSV Advisory· Published Oct 3, 2025· Updated Apr 15, 2026
CVE-2025-61677
CVE-2025-61677
Description
DataChain is a Python-based AI-data warehouse for transforming and analyzing unstructured data. Versions 0.34.1 and below allow for deseriaization of untrusted data because of the way the DataChain library reads serialized objects from environment variables (such as DATACHAIN__METASTORE and DATACHAIN__WAREHOUSE) in the loader.py module. An attacker with the ability to set these environment variables can trigger code execution when the application loads. This issue is fixed in version 0.34.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
datachainPyPI | < 0.34.2 | 0.34.2 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-6px8-mr29-cj4rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-61677ghsaADVISORY
- github.com/iterative/datachain/commit/914b95610620d50c8d9bee506ccbfa7d4d57fdc0nvdWEB
- github.com/iterative/datachain/pull/1358nvdWEB
- github.com/iterative/datachain/security/advisories/GHSA-6px8-mr29-cj4rnvdWEB
News mentions
0No linked articles in our index yet.