A critical remote code execution vulnerability in Kedro allows attackers to execute arbitrary system commands via maliciously crafted logging configurations.

The application loads logging configurations from a user-controlled environment variable (KEDRO_LOGGING_CONFIG) without validation. The configuration schema allows for arbitrary callable instantiation, which an attacker can exploit to execute system commands.

Exploitation of this vulnerability grants the attacker the ability to execute code with the permissions of the Kedro process. This can lead to total system takeover, data exfiltration, and lateral movement within the production environment, justifying the 9.8 CVSS score.

Immediate Action: Upgrade Kedro to version 1.3.0 or later to ensure logging configurations are properly validated.

Proactive Monitoring: Monitor system logs and process execution for unexpected child processes spawned by the Kedro application.

Compensating Controls: Restrict the ability of external users to set environment variables on systems running Kedro and implement OS-level hardening.

Public Exploit Available: Unknown

The ability to achieve remote code execution makes this a high-priority risk. Administrators must update to the patched version of Kedro immediately to close this execution vector and protect the integrity of the data science environment.