Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionNVD
A path traversal vulnerability exists in the extract_archive_to_dir function within the mlflow/pyfunc/dbconnect_artifact_cache.py file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments.
AnalysisAI
Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitrary files and potentially escape sandbox isolation via malicious archive uploads. The vulnerability affects the extract_archive_to_dir function which fails to validate tar member paths during extraction. Exploitation requires user interaction (CVSS UI:R) but needs no authentication (PR:N). EPSS data not provided, but no CISA KEV listing indicates no confirmed active exploitation at time of analysis. Public exploit code exists via Huntr bounty disclosure.
Technical ContextAI
This vulnerability affects MLflow (cpe:2.3:a:mlflow:mlflow/mlflow), an open-source platform for managing machine learning lifecycle. The flaw resides in the extract_archive_to_dir function within mlflow/pyfunc/dbconnect_artifact_cache.py, which handles artifact extraction from tar.gz archives. The root cause is CWE-29 (Path Traversal: '..\filename'), where insufficient validation of tar member paths allows directory traversal sequences. When MLflow processes user-supplied tar.gz files, an attacker can craft malicious archives containing paths like '../../etc/passwd' or similar traversal patterns. During extraction, these paths are not sanitized, allowing files to be written outside the intended extraction directory. This is particularly dangerous in multi-tenant MLflow deployments or shared cluster environments where sandbox isolation is critical for security boundaries.
RemediationAI
Vendor-released patch: MLflow version 3.7.0. Organizations should immediately upgrade to MLflow 3.7.0 or later, which includes the fix implemented in commit 3bf6d81ac4d38654c8ff012dbd0c3e9f17e7e346 (available at https://github.com/mlflow/mlflow/commit/3bf6d81ac4d38654c8ff012dbd0c3e9f17e7e346). The patch implements proper validation of tar member paths to prevent directory traversal during archive extraction. Upgrade can typically be performed via pip install --upgrade mlflow>=3.7.0. For environments where immediate patching is not feasible, implement network-level controls to restrict who can upload artifacts to MLflow servers, enforce strict input validation on tar.gz files before they reach MLflow, and consider running MLflow in isolated containers with restricted filesystem permissions to limit the impact of successful exploitation. Review audit logs for suspicious artifact uploads or unusual file system access patterns that might indicate exploitation attempts. In multi-tenant environments, evaluate whether additional sandbox hardening or process isolation is needed beyond the MLflow application layer.
More in Mlflow Mlflow
View allMLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without
Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply m
Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protect
MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc
Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode
Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by
Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to
Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrar
Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive
Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier.
Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to ar
MLflow's basic-auth authentication system fails to protect tracing and assessment endpoints, enabling any authenticated
Same weakness CWE-29 – Path Traversal: '\\..\\filename'
View allSame technique Path Traversal
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209119
GHSA-vhcx-3pq2-4fvc