CVE-2025-61677: DataChain Vulnerable to Deserialization of Untrusted Data from Environment Variables

October 2, 2025

The DataChain library reads serialized objects from environment variables (such as DATACHAIN__METASTORE and DATACHAIN__WAREHOUSE) in the loader.py module. An attacker with the ability to set these environment variables can trigger code execution when the application loads.

References

github.com/advisories/GHSA-6px8-mr29-cj4r
github.com/iterative/datachain
github.com/iterative/datachain/commit/914b95610620d50c8d9bee506ccbfa7d4d57fdc0
github.com/iterative/datachain/pull/1358
github.com/iterative/datachain/security/advisories/GHSA-6px8-mr29-cj4r
nvd.nist.gov/vuln/detail/CVE-2025-61677

Code Behaviors & Features

Detect and mitigate CVE-2025-61677 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →