Plattform
python
Komponente
mlflow
Behoben in
2.21.4
3.0.0
CVE-2025-11201 is a Remote Code Execution (RCE) vulnerability affecting MLflow Tracking Server versions up to 3.0.0rc3. This flaw allows unauthenticated attackers to execute arbitrary code on the server. The vulnerability stems from inadequate validation of user-supplied file paths during model creation, enabling malicious code execution within the service account. A fix is available in version 3.0.0.
The impact of CVE-2025-11201 is severe. An attacker can leverage this vulnerability to execute arbitrary code on the MLflow Tracking Server with the privileges of the service account. This could lead to complete system compromise, including data exfiltration, modification, or deletion. The lack of authentication requirements makes this vulnerability particularly concerning, as it allows unauthenticated attackers to directly exploit the flaw. A successful attack could also be used for lateral movement within the network, potentially compromising other systems connected to the MLflow Tracking Server. The potential blast radius extends to any data stored or processed by the server, including sensitive machine learning models and training data.
CVE-2025-11201 was reported to ZDI as ZDI-CAN-26921. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's ease of exploitation and lack of authentication requirement. The EPSS score is likely to be assessed as medium to high due to the potential for widespread exploitation and the severity of the impact. The vulnerability was publicly disclosed on 2025-10-29.
Organizations heavily reliant on MLflow for model tracking and deployment are particularly at risk. This includes data science teams, machine learning engineers, and companies deploying machine learning models in production environments. Shared hosting environments where multiple users share the same MLflow instance are also at increased risk, as a compromised model could potentially affect other users.
• python / mlflow:
import os
import subprocess
def check_mlflow_version():
try:
result = subprocess.run(['mlflow', '--version'], capture_output=True, text=True, check=True)
version = result.stdout.strip()
if version <= '3.0.0rc3':
print(f"MLflow version is vulnerable: {version}")
else:
print(f"MLflow version is patched: {version}")
except FileNotFoundError:
print("MLflow is not installed.")
except subprocess.CalledProcessError as e:
print(f"Error checking MLflow version: {e}")
check_mlflow_version()• linux / server: journalctl filters for suspicious process executions within the MLflow Tracking Server directory.
journalctl -u mlflow-tracking-server -g 'path=/path/to/mlflow/models/'disclosure
patch
Exploit-Status
EPSS
9.10% (93% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-11201 is to upgrade to MLflow Tracking Server version 3.0.0 or later, which includes the necessary path validation fixes. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict network access to the MLflow Tracking Server to only authorized users and systems. Implement a Web Application Firewall (WAF) with rules to block suspicious file path manipulation attempts. Monitor system logs for unusual activity, particularly related to file creation and execution. After upgrading, confirm the fix by attempting to create a model with a specially crafted path containing directory traversal sequences; the server should reject the request.
Actualice MLflow a una versión posterior a la 2.21.3. Esto solucionará la vulnerabilidad de recorrido de directorios y ejecución remota de código. Consulte las notas de la versión para obtener más detalles sobre la actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-11201 is a Remote Code Execution vulnerability in MLflow Tracking Server versions up to 3.0.0rc3, allowing attackers to execute arbitrary code without authentication.
You are affected if you are running MLflow Tracking Server versions 3.0.0rc3 or earlier. Upgrade to 3.0.0 or later to mitigate the risk.
Upgrade to MLflow Tracking Server version 3.0.0 or later. Implement strict file path validation as a temporary workaround if an upgrade is not immediately possible.
While no active exploitation has been confirmed, the ease of exploitation and lack of authentication suggest a high likelihood of exploitation in the near future.
Refer to the MLflow security advisories on the MLflow GitHub repository for the latest information and updates: [https://github.com/mlflow/mlflow/security/advisories](https://github.com/mlflow/mlflow/security/advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.