Platform
python
Component
ml-logger
Fixed in
255.0.1
CVE-2025-10951 describes a Path Traversal vulnerability discovered in geyang ml-logger. This flaw allows attackers to potentially access sensitive files and directories on the server. The vulnerability affects versions of ml-logger up to acf255bade5be6ad88d90735c8367b28cbe3a743, and a fix is available in version 255.0.1.
The Path Traversal vulnerability in ml-logger allows an attacker to manipulate the 'File' argument within the loghandler function of mllogger/server.py. This manipulation can lead to the attacker gaining access to files outside of the intended directory, potentially exposing sensitive data such as configuration files, source code, or even system files. Given the remote accessibility of this vulnerability, an attacker could exploit it without requiring local access to the system. The availability of a public exploit significantly increases the risk of exploitation.
A public proof-of-concept for CVE-2025-10951 is available, indicating a higher probability of exploitation. The vulnerability was disclosed on 2025-09-25. The CVSS score is 7.3 (HIGH), reflecting the potential for significant impact. It is recommended to prioritize remediation due to the public exploit and the ease of remote exploitation.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-10951 is to upgrade to version 255.0.1 or later of ml-logger. Since ml-logger uses a rolling release model, precise version details are not always available. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path traversal attempts (e.g., '../' sequences). Additionally, restrict access to the ml_logger/server.py endpoint and carefully validate any user-supplied input related to file paths. After upgrading, confirm the fix by attempting a path traversal attack and verifying that access is denied.
Actualice la biblioteca ml-logger a una versión posterior a acf255bade5be6ad88d90735c8367b28cbe3a743. Si no hay una versión disponible, revise el código de la función log_handler en server.py y corrija la vulnerabilidad de path traversal, validando y sanitizando la entrada del argumento File.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-10951 is a Path Traversal vulnerability affecting geyang ml-logger versions up to acf255bade5be6ad88d90735c8367b28cbe3a743, allowing attackers to access arbitrary files remotely.
If you are using ml-logger versions prior to 255.0.1, you are potentially affected by this vulnerability. Check your current version against the affected range.
Upgrade to ml-logger version 255.0.1 or later to address this vulnerability. Consider WAF rules as a temporary mitigation if upgrading is not immediately possible.
A public proof-of-concept exists, indicating a high probability of active exploitation. Prioritize remediation to mitigate the risk.
Refer to the geyang ml-logger project's release notes or security advisories for the official announcement and details regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.