Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6Blast Radius
ecosystem impact- 2 pypi packages depend on mlflow (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 3.8.1.
DescriptionNVD
A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the _install_model_dependencies_to_env() function. When deploying a model with env_manager=LOCAL, MLflow reads dependency specifications from the model artifact's python_env.yaml file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2.
AnalysisAI
Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply malicious artifacts via the env_manager=LOCAL parameter. The _install_model_dependencies_to_env() function unsafely interpolates dependency specifications from python_env.yaml directly into shell commands without sanitization. With CVSS 10.0 (network-accessible, no authentication, no complexity) and publicly available exploit code exists (reported via Huntr bug bounty, patched in 3.8.2), this represents an immediate critical risk for organizations using MLflow model serving infrastructure. EPSS data not available, but exploitation scenario is straightforward for adversaries with model deployment access.
Technical ContextAI
MLflow is an open-source machine learning lifecycle platform that manages model deployment, serving, and dependency management. The vulnerability resides in the environment manager subsystem that handles Python dependency installation. When env_manager=LOCAL is specified during model deployment, MLflow parses the python_env.yaml file from model artifacts to determine required dependencies. The vulnerable function constructs shell commands by directly concatenating user-controlled dependency strings without input validation or command sanitization. This represents CWE-77 (Command Injection), a critical flaw class where externally-influenced input modifies the intended command string. The affected product MLflow version 3.8.0 uses Python's subprocess or shell invocation mechanisms that interpret special characters and command separators (semicolons, pipes, backticks), allowing attackers to inject arbitrary commands. Model artifacts in MLflow are typically stored as directories containing metadata files, making the python_env.yaml file a trusted input surface that was incorrectly assumed safe.
RemediationAI
Organizations must immediately upgrade MLflow to version 3.8.2 or later, which contains the complete fix for the command injection vulnerability as documented in commit 361b6f620adf98385c6721e384fb5ef9a30bb05e. The upstream fix available via the GitHub repository implements proper input sanitization in the _install_model_dependencies_to_env() function. For environments where immediate patching is not feasible, implement compensating controls including restricting model deployment permissions to trusted users only, implementing strict validation on model artifacts before deployment, avoiding the env_manager=LOCAL parameter if alternative environment managers are viable, and deploying models in isolated sandboxed containers with minimal privileges. Network segmentation should isolate MLflow model serving infrastructure from untrusted networks. Monitor MLflow deployment logs for suspicious dependency installation patterns or shell metacharacters in python_env.yaml files. Review all model artifacts deployed during the 3.8.0 version window for potential compromise indicators. Complete vendor advisory and technical details available at https://huntr.com/bounties/dc9c1c20-7879-4050-87df-4d095fe5ca75 with patch implementation at https://github.com/mlflow/mlflow/commit/361b6f620adf98385c6721e384fb5ef9a30bb05e.
More in Mlflow Mlflow
View allMLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without
Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitr
Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protect
MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc
Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode
Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by
Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to
Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrar
Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive
Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier.
Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to ar
MLflow's basic-auth authentication system fails to protect tracing and assessment endpoints, enabling any authenticated
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209121
GHSA-r23q-823p-vmf7