A critical remote code execution vulnerability in Feast allows unauthenticated attackers to execute arbitrary OS commands through unsafe object deserialization.

The registry server processes user-defined function specifications by decoding base64 data and passing it to dill.loads() without prior authorization. This allows an attacker to send a malicious gRPC request containing a serialized Python object to trigger arbitrary code execution.

With a CVSS score of 9.8, this flaw enables complete compromise of the host environment running the Feast service. Successful exploitation grants the attacker the privileges of the feast service account, leading to potential lateral movement across the internal data infrastructure.

Immediate Action: Update the Feast deployment to version 0.63.0 or later to ensure proper validation and secure deserialization processes.

Proactive Monitoring: Monitor gRPC traffic for highly unusual request payloads or unexpected attempts to execute system-level commands from the Feast process.

Compensating Controls: Implement strict network segmentation to limit the exposure of the Feast registry server and ensure it is not reachable from untrusted network zones.

Public Exploit Available: No

Remote code execution vulnerabilities of this nature present an extreme risk to the environment. Administrators must prioritize the update to version 0.63.0 to mitigate the risk of unauthorized command execution and system compromise.