EUVD-2025-208848
GHSA-fhff-qmm8-h2fp
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4Tags
Description
A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of `tarfile.extractall` without path validation enables crafted tar.gz files containing `..` or absolute paths to escape the intended extraction directory. This issue affects the latest version of MLflow and poses a high/critical risk in scenarios involving multi-tenant environments or ingestion of untrusted artifacts, as it can lead to arbitrary file overwrites and potential remote code execution.
Analysis
MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc extraction process that allows arbitrary file writes. The vulnerability stems from unsafe use of tarfile.extractall without proper path validation, enabling attackers to craft malicious tar.gz files with directory traversal sequences or absolute paths to write files outside the intended extraction directory. This poses critical risk in multi-tenant environments and can lead to remote code execution, with a CVSS score of 8.1 and confirmed exploit details available via Huntr.
Technical Context
The vulnerability affects MLflow (cpe:2.3:a:mlflow:mlflow/mlflow:*:*:*:*:*:*:*:*), specifically in the pyfunc extraction mechanism that processes tar.gz artifact files. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal. Python's tarfile.extractall method, when used without validation, is vulnerable to Zip Slip-style attacks where archive entries containing '../' sequences or absolute paths can write files to arbitrary locations on the filesystem. In MLflow's context, this occurs during model artifact extraction, where malicious model packages could overwrite critical system files, configuration files, or inject malicious code into application directories.
Affected Products
MLflow versions are affected according to the CPE identifier cpe:2.3:a:mlflow:mlflow/mlflow:*:*:*:*:*:*:*:*, with the description noting the latest version of MLflow is impacted. The vulnerability report was disclosed through Huntr's bug bounty platform and details can be found at https://huntr.com/bounties/09856f77-f968-446f-a930-657d126efe4e. The asterisk wildcards in the CPE string indicate broad version impact, though specific version ranges are not definitively stated in the available intelligence. Users of MLflow should check the Huntr advisory for precise version information and vendor confirmation.
Remediation
Organizations should immediately review the Huntr vulnerability disclosure at https://huntr.com/bounties/09856f77-f968-446f-a930-657d126efe4e for official patch information and upgrade to a patched version of MLflow as soon as available. Until patching is possible, implement strict controls on artifact sources by only accepting model artifacts from trusted, verified sources and implementing network segmentation to limit MLflow's access to adjacent network resources. Consider implementing additional validation layers that inspect tar.gz archives before extraction, rejecting any files containing path traversal sequences or absolute paths. In multi-tenant environments, run MLflow instances in isolated containers with restricted filesystem permissions and use read-only mounts where possible to limit the impact of arbitrary file writes.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today