Primary

Context

DataChain Environment Variable Deserialization Vulnerability Leading to Code Execution

Vulnerability

A vulnerability in DataChain versions prior to 0.34.2 allows for the deserialization of untrusted data from environment variables, which can lead to arbitrary code execution. This issue arises because the application loads serialized objects from environment variables like DATACHAIN__METASTORE and DATACHAIN__WAREHOUSE' in the loader.py module. An attacker who can set these environment variables can execute code when the application starts.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where DataChain is running.

Reproduction

To reproduce this vulnerability, set the DATACHAIN__METASTORE or DATACHAIN__WAREHOUSE environment variables with a payload that includes serialized data. When the DataChain application is loaded, the malicious code will be executed.

Remediation

Users can upgrade to DataChain version 0.34.2 or later to address this vulnerability.

Added: Oct 3, 2025, 10:20 PM

Updated: Oct 3, 2025, 10:20 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.3

remediation

7.7

relevance

0.6

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.3

remediation

7.7

relevance

0.6

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

DataChain Environment Variable Deserialization Vulnerability Leading to Code Execution

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating