Skip to main content

Mlflow Mlflow CVE-2025-15379

| EUVDEUVD-2025-209121 CRITICAL
Command Injection (CWE-77)
2026-03-30 @huntr_ai GHSA-r23q-823p-vmf7
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
9.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 28, 2026 - 14:37 vuln.today
cvss_changed
CVSS changed
Apr 28, 2026 - 14:37 NVD
10.0 (CRITICAL) 9.8 (CRITICAL)
Patch released
Apr 01, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Mar 30, 2026 - 07:30 euvd
EUVD-2025-209121
Analysis Generated
Mar 30, 2026 - 07:30 vuln.today
CVE Published
Mar 30, 2026 - 07:16 nvd
CRITICAL 10.0

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 pypi packages depend on mlflow (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.8.1.

DescriptionNVD

A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the _install_model_dependencies_to_env() function. When deploying a model with env_manager=LOCAL, MLflow reads dependency specifications from the model artifact's python_env.yaml file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2.

AnalysisAI

Critical command injection in MLflow 3.8.0 enables remote code execution during model deployment when attackers supply malicious artifacts via the env_manager=LOCAL parameter. The _install_model_dependencies_to_env() function unsafely interpolates dependency specifications from python_env.yaml directly into shell commands without sanitization. With CVSS 10.0 (network-accessible, no authentication, no complexity) and publicly available exploit code exists (reported via Huntr bug bounty, patched in 3.8.2), this represents an immediate critical risk for organizations using MLflow model serving infrastructure. EPSS data not available, but exploitation scenario is straightforward for adversaries with model deployment access.

Technical ContextAI

MLflow is an open-source machine learning lifecycle platform that manages model deployment, serving, and dependency management. The vulnerability resides in the environment manager subsystem that handles Python dependency installation. When env_manager=LOCAL is specified during model deployment, MLflow parses the python_env.yaml file from model artifacts to determine required dependencies. The vulnerable function constructs shell commands by directly concatenating user-controlled dependency strings without input validation or command sanitization. This represents CWE-77 (Command Injection), a critical flaw class where externally-influenced input modifies the intended command string. The affected product MLflow version 3.8.0 uses Python's subprocess or shell invocation mechanisms that interpret special characters and command separators (semicolons, pipes, backticks), allowing attackers to inject arbitrary commands. Model artifacts in MLflow are typically stored as directories containing metadata files, making the python_env.yaml file a trusted input surface that was incorrectly assumed safe.

RemediationAI

Organizations must immediately upgrade MLflow to version 3.8.2 or later, which contains the complete fix for the command injection vulnerability as documented in commit 361b6f620adf98385c6721e384fb5ef9a30bb05e. The upstream fix available via the GitHub repository implements proper input sanitization in the _install_model_dependencies_to_env() function. For environments where immediate patching is not feasible, implement compensating controls including restricting model deployment permissions to trusted users only, implementing strict validation on model artifacts before deployment, avoiding the env_manager=LOCAL parameter if alternative environment managers are viable, and deploying models in isolated sandboxed containers with minimal privileges. Network segmentation should isolate MLflow model serving infrastructure from untrusted networks. Monitor MLflow deployment logs for suspicious dependency installation patterns or shell metacharacters in python_env.yaml files. Review all model artifacts deployed during the 3.8.0 version window for potential compromise indicators. Complete vendor advisory and technical details available at https://huntr.com/bounties/dc9c1c20-7879-4050-87df-4d095fe5ca75 with patch implementation at https://github.com/mlflow/mlflow/commit/361b6f620adf98385c6721e384fb5ef9a30bb05e.

CVE-2026-0545 CRITICAL POC
9.8 Apr 03

MLflow's FastAPI job endpoints bypass basic-auth entirely, allowing network attackers to submit and execute jobs without

CVE-2025-15036 CRITICAL
10.0 Mar 30

Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitr

CVE-2026-2611 CRITICAL
9.6 May 19

Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protect

CVE-2025-15031 CRITICAL
9.1 Mar 18

MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc

CVE-2026-2651 CRITICAL
9.0 May 25

Cross-user artifact overwrite in MLflow versions prior to 3.10.0 allows authenticated users with --serve-artifacts mode

CVE-2025-14287 HIGH
8.8 Mar 15

Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by

CVE-2026-8147 HIGH
8.1 Jul 02

Broken access control in MLflow prior to 3.14.0 lets any authenticated user read, modify, or delete traces belonging to

CVE-2026-0596 HIGH
7.8 Mar 31

Command injection in MLflow's MLServer integration allows unauthenticated adjacent network attackers to execute arbitrar

CVE-2026-4035 HIGH
7.7 Jun 03

Server-side environment variable disclosure in MLflow versions prior to 3.11.0 allows attackers to exfiltrate sensitive

CVE-2026-2614 HIGH
7.5 May 11

Remote unauthenticated attackers can read arbitrary files from MLflow server filesystems in versions 3.9.0 and earlier.

CVE-2026-2393 HIGH
7.1 May 11

Server-Side Request Forgery in MLflow allows authenticated users to force the MLflow backend to send HTTP requests to ar

CVE-2025-15381 HIGH
7.1 Mar 27

MLflow's basic-auth authentication system fails to protect tracing and assessment endpoints, enabling any authenticated

Vendor StatusVendor

Share

CVE-2025-15379 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy