What is the CVSS score of EUVD-2025-208848?

EUVD-2025-208848 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Mlflow are affected by EUVD-2025-208848?

MLflow deployments are vulnerable to arbitrary file writes through malicious model files, creating a critical remote code execution risk especially in multi-tenant environments where isolated…. A patch is available.

How to fix or mitigate EUVD-2025-208848?

Within 24 hours: Inventory all MLflow deployments and assess exposure by identifying systems accepting external model uploads or processing untrusted tar.gz files. Within 7 days: Implement network segmentation to isolate MLflow services, disable pyfunc model loading if not operationally required, and implement strict input validation on model uploads. Within 30 days: Monitor vendor communications for patch release, conduct code review of model processing pipelines, and develop detection rules for suspicious file write patterns in MLflow working directories.

Mlflow EUVD-2025-208848

| CVE-2025-15031 CRITICAL

Path Traversal (CWE-22)

2026-03-18 @huntr_ai

GHSA-fhff-qmm8-h2fp

RCE Path Traversal Red Hat Mlflow AI / ML

9.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Red Hat

8.1 HIGH

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 18, 2026 - 22:22 euvd

EUVD-2025-208848

Analysis Generated

Mar 18, 2026 - 22:22 vuln.today

CVE Published

Mar 18, 2026 - 22:06 nvd

CRITICAL 9.1

DescriptionCVE.org

A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of tarfile.extractall without path validation enables crafted tar.gz files containing .. or absolute paths to escape the intended extraction directory. This issue affects the latest version of MLflow and poses a high/critical risk in scenarios involving multi-tenant environments or ingestion of untrusted artifacts, as it can lead to arbitrary file overwrites and potential remote code execution.

AnalysisAI

MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc extraction process that allows arbitrary file writes. The vulnerability stems from unsafe use of tarfile.extractall without proper path validation, enabling attackers to craft malicious tar.gz files with directory traversal sequences or absolute paths to write files outside the intended extraction directory. This poses critical risk in multi-tenant environments and can lead to remote code execution, with a CVSS score of 8.1 and confirmed exploit details available via Huntr.

Technical ContextAI

The vulnerability affects MLflow (cpe:2.3:a:mlflow:mlflow/mlflow:*:*:*:*:*:*:*:*), specifically in the pyfunc extraction mechanism that processes tar.gz artifact files. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal. Python's tarfile.extractall method, when used without validation, is vulnerable to Zip Slip-style attacks where archive entries containing '../' sequences or absolute paths can write files to arbitrary locations on the filesystem. In MLflow's context, this occurs during model artifact extraction, where malicious model packages could overwrite critical system files, configuration files, or inject malicious code into application directories.

RemediationAI

Organizations should immediately review the Huntr vulnerability disclosure at https://huntr.com/bounties/09856f77-f968-446f-a930-657d126efe4e for official patch information and upgrade to a patched version of MLflow as soon as available. Until patching is possible, implement strict controls on artifact sources by only accepting model artifacts from trusted, verified sources and implementing network segmentation to limit MLflow's access to adjacent network resources. Consider implementing additional validation layers that inspect tar.gz archives before extraction, rejecting any files containing path traversal sequences or absolute paths. In multi-tenant environments, run MLflow instances in isolated containers with restricted filesystem permissions and use read-only mounts where possible to limit the impact of arbitrary file writes.

Vendor StatusVendor

EUVD-2025-208848 vulnerability details – vuln.today

Back

Mlflow EUVD-2025-208848

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Vendor StatusVendor

Share

External POC / Exploit Code