What is the CVSS score of CVE-2025-61677?

CVE-2025-61677 has a CVSS 3.1 base score of 2.5 (Low). CVSS vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N. EPSS exploitation probability: 0.1%.

Which versions of Python are affected by CVE-2025-61677?

CVE-2025-61677 is a low-severity vulnerability in DataChain (CVSS 2.5). The limited severity suggests constrained impact, typically requiring specific conditions or local access for exploitation.. A patch is available.

How to fix or mitigate CVE-2025-61677?

During next maintenance window: Apply vendor patches when convenient. Monitor vendor channels for updates.

Python CVE-2025-61677

LOW

Deserialization of Untrusted Data (CWE-502)

2025-10-03 security-advisories@github.com

GHSA-6px8-mr29-cj4r

RCE Python Deserialization

2.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

2.5 LOW

AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 13, 2026 - 19:29 vuln.today

CVE Published

Oct 03, 2025 - 22:15 nvd

LOW 2.5

DescriptionGitHub Advisory

DataChain is a Python-based AI-data warehouse for transforming and analyzing unstructured data. Versions 0.34.1 and below allow for deseriaization of untrusted data because of the way the DataChain library reads serialized objects from environment variables (such as DATACHAIN__METASTORE and DATACHAIN__WAREHOUSE) in the loader.py module. An attacker with the ability to set these environment variables can trigger code execution when the application loads. This issue is fixed in version 0.34.2.

Analysis

Technical ContextAI

Insecure deserialization occurs when untrusted data is used to reconstruct objects, allowing attackers to manipulate serialized data to execute arbitrary code. This vulnerability is classified as Deserialization of Untrusted Data (CWE-502).

RemediationAI

Avoid deserializing untrusted data. Use safe serialization formats (JSON instead of native serialization). Implement integrity checks on serialized data.

More from same product – last 7 days

CVE-2026-49257 CRITICAL Act Now

10.0 Jun 18

Authentication bypass in StarTree mcp-pinot versions 3.0.1 and earlier exposes the Model Context Protocol HTTP server on

CVE-2026-10561 CRITICAL Act Now

10.0 Jun 22

Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully comprom

CVE-2026-55255 CRITICAL Act Now

9.9 Jun 19

Cross-user flow execution in Langflow versions prior to 1.9.1 allows any authenticated API user to run another user's fl

CVE-2026-53753 CRITICAL Act Now

9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-38714 CRITICAL Act Now

9.8 Jun 18

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a co

CVE-2025-61677 vulnerability details – vuln.today

Back

Python CVE-2025-61677

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

Analysis

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code