Platform
python
Component
mlflow
Fixed in
2.21.4
3.0.0
CVE-2025-11201 is a Remote Code Execution (RCE) vulnerability affecting MLflow Tracking Server versions up to 3.0.0rc3. This flaw allows unauthenticated attackers to execute arbitrary code on the server. The vulnerability stems from inadequate validation of user-supplied file paths during model creation, enabling malicious code execution within the service account. A fix is available in version 3.0.0.
The impact of CVE-2025-11201 is severe, as it allows for complete remote code execution without authentication. An attacker could leverage this vulnerability to gain full control of the MLflow Tracking Server, potentially compromising sensitive data, disrupting model training and deployment pipelines, and pivoting to other systems within the network. This could lead to data breaches, denial of service, and unauthorized access to machine learning resources. The lack of authentication requirements significantly broadens the attack surface, making it accessible to a wide range of threat actors.
This vulnerability was reported to ZDI (ZDI-CAN-26921) and subsequently disclosed publicly on 2025-10-29. Public proof-of-concept exploits are likely to emerge given the ease of exploitation and the lack of authentication requirements. The CVSS score of 8.1 (HIGH) reflects the significant risk posed by this vulnerability. Its inclusion in the NVD is expected.
Exploit Status
EPSS
9.10% (93% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-11201 is to upgrade to MLflow Tracking Server version 3.0.0 or later, which contains the necessary fix. If an immediate upgrade is not feasible, consider implementing strict file path validation on the server-side to prevent malicious path traversal attempts. While not a complete solution, restricting the directories accessible to the MLflow Tracking Server can limit the potential impact. Monitor system logs for suspicious file creation or execution attempts, particularly within the model directory.
Actualice MLflow a una versión posterior a la 2.21.3. Esto solucionará la vulnerabilidad de recorrido de directorios y ejecución remota de código. Consulte las notas de la versión para obtener más detalles sobre la actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-11201 is a Remote Code Execution vulnerability in MLflow Tracking Server versions up to 3.0.0rc3, allowing attackers to execute arbitrary code without authentication.
You are affected if you are running MLflow Tracking Server versions 3.0.0rc3 or earlier. Upgrade to 3.0.0 or later to mitigate the risk.
Upgrade to MLflow Tracking Server version 3.0.0 or later. Implement strict file path validation as a temporary workaround if an upgrade is not immediately possible.
While no active exploitation has been confirmed, the ease of exploitation and lack of authentication suggest a high likelihood of exploitation in the near future.
Refer to the MLflow security advisories on the MLflow GitHub repository for the latest information and updates: [https://github.com/mlflow/mlflow/security/advisories](https://github.com/mlflow/mlflow/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.