How to fix EUVD-2025-209119?

Within 24 hours: Inventory all MLflow deployments and document versions <3.7.0; restrict or disable tar.gz archive upload functionality via access controls or web application firewall rules if possible. Within 7 days: Implement input validation to reject suspicious archive member paths (those containing '..' or absolute paths); isolate affected MLflow instances on network segments with restricted egress. Within 30 days: Upgrade to MLflow 3.7.0 or later once vendor releases patched version; conduct forensic audit of archive upload logs for exploitation attempts.

Is Redhat affected by EUVD-2025-209119?

MLflow versions below 3.7.0 contain a critical path traversal vulnerability in archive extraction that allows unauthenticated attackers to overwrite arbitrary files on affected systems through malicious tar.gz uploads.

EUVD-2025-209119

Q: Is Redhat affected by EUVD-2025-209119?

MLflow versions below 3.7.0 contain a critical path traversal vulnerability in archive extraction that allows unauthenticated attackers to overwrite arbitrary files on affected systems through malicious tar.gz uploads.

| CVE-2025-15036 CRITICAL

2026-03-30 @huntr_ai

GHSA-vhcx-3pq2-4fvc

9.6

CVSS 3.0

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Apr 01, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Mar 30, 2026 - 01:45 euvd

EUVD-2025-209119

Analysis Generated

Mar 30, 2026 - 01:45 vuln.today

CVE Published

Mar 30, 2026 - 01:16 nvd

CRITICAL 9.6

Description

A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments.

Analysis

Path traversal in MLflow's tar.gz extraction (mlflow/mlflow versions <3.7.0) allows remote attackers to overwrite arbitrary files and potentially escape sandbox isolation via malicious archive uploads. The vulnerability affects the extract_archive_to_dir function which fails to validate tar member paths during extraction. Exploitation requires user interaction (CVSS UI:R) but needs no authentication (PR:N). EPSS data not provided, but no CISA KEV listing indicates no confirmed active exploitation at time of analysis. Public exploit code exists via Huntr bounty disclosure.

Technical Context

This vulnerability affects MLflow (cpe:2.3:a:mlflow:mlflow/mlflow), an open-source platform for managing machine learning lifecycle. The flaw resides in the `extract_archive_to_dir` function within `mlflow/pyfunc/dbconnect_artifact_cache.py`, which handles artifact extraction from tar.gz archives. The root cause is CWE-29 (Path Traversal: '..\filename'), where insufficient validation of tar member paths allows directory traversal sequences. When MLflow processes user-supplied tar.gz files, an attacker can craft malicious archives containing paths like '../../etc/passwd' or similar traversal patterns. During extraction, these paths are not sanitized, allowing files to be written outside the intended extraction directory. This is particularly dangerous in multi-tenant MLflow deployments or shared cluster environments where sandbox isolation is critical for security boundaries.

Affected Products

The vulnerability affects MLflow versions prior to 3.7.0, specifically the mlflow/mlflow Python package identified by CPE 2.3:a:mlflow:mlflow/mlflow:*:*:*:*:*:*:*:*. MLflow is widely deployed across data science and machine learning platforms for experiment tracking, model registry, and deployment workflows. Organizations running MLflow servers, particularly in multi-tenant configurations, shared notebook environments, or Databricks Connect scenarios, are at risk. The vulnerability is present in any deployment where the affected `dbconnect_artifact_cache.py` module processes tar.gz archives from untrusted sources. Vendor advisory and technical details are available at https://huntr.com/bounties/36c314cf-fd6e-4fb0-b9b0-1b47bcdf0eb0.

Remediation

Vendor-released patch: MLflow version 3.7.0. Organizations should immediately upgrade to MLflow 3.7.0 or later, which includes the fix implemented in commit 3bf6d81ac4d38654c8ff012dbd0c3e9f17e7e346 (available at https://github.com/mlflow/mlflow/commit/3bf6d81ac4d38654c8ff012dbd0c3e9f17e7e346). The patch implements proper validation of tar member paths to prevent directory traversal during archive extraction. Upgrade can typically be performed via pip install --upgrade mlflow>=3.7.0. For environments where immediate patching is not feasible, implement network-level controls to restrict who can upload artifacts to MLflow servers, enforce strict input validation on tar.gz files before they reach MLflow, and consider running MLflow in isolated containers with restricted filesystem permissions to limit the impact of successful exploitation. Review audit logs for suspicious artifact uploads or unusual file system access patterns that might indicate exploitation attempts. In multi-tenant environments, evaluate whether additional sandbox hardening or process isolation is needed beyond the MLflow application layer.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +48

POC: 0

Vendor Status

EUVD-2025-209119 vulnerability details – vuln.today

Back

EUVD-2025-209119

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

EUVD-2025-209119

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code