Platform
python
Component
mlflow
Fixed in
3.8.0rc0
CVE-2025-14287 describes a Command Injection vulnerability discovered in MLflow, a platform for managing the machine learning lifecycle. This flaw allows attackers to execute arbitrary commands on systems running vulnerable versions of MLflow. The vulnerability affects versions of MLflow prior to 3.7.0rc0 and can be exploited through the --container parameter. A fix is available in version 3.8.0rc0.
The vulnerability lies within the mlflow/sagemaker/init.py file, specifically in how user-supplied container image names are handled. The code directly interpolates these names into shell commands without proper sanitization before executing them using os.system(). This means an attacker can inject malicious commands into the --container parameter, which will then be executed with the privileges of the MLflow process. Successful exploitation could lead to complete system compromise, data exfiltration, or denial of service. The impact is particularly severe in CI/CD pipelines and cloud deployments where MLflow is integrated, as it could allow attackers to gain control over the entire infrastructure.
This vulnerability was publicly disclosed on 2026-03-16. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The ease of exploitation is moderate, as it requires access to the MLflow CLI and the ability to provide a malicious --container parameter.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade MLflow to version 3.8.0rc0 or later, which contains the fix for this vulnerability. If upgrading immediately is not possible, consider implementing temporary workarounds. One approach is to strictly validate and sanitize the --container parameter to prevent the injection of malicious commands. This could involve whitelisting allowed container image names or using more secure methods for constructing shell commands, such as parameterized queries. Additionally, restrict the permissions of the MLflow process to minimize the potential damage from a successful attack. After upgrading, verify the fix by attempting to exploit the vulnerability with a known malicious container image name and confirming that the command is not executed.
Update MLflow to version 3.7.0 or higher. This corrects the command injection vulnerability by properly sanitizing user inputs. You can update using `pip install mlflow --upgrade`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14287 is a Command Injection vulnerability affecting MLflow versions before 3.8.0rc0. It allows attackers to execute arbitrary commands by manipulating the --container parameter.
You are affected if you are using MLflow versions 3.7.0 or earlier. Upgrade to 3.8.0rc0 or later to mitigate the risk.
Upgrade MLflow to version 3.8.0rc0 or later. As a temporary workaround, strictly validate and sanitize the --container parameter.
As of the current disclosure date, there are no known active exploits or campaigns targeting this vulnerability.
Refer to the MLflow security advisories and release notes on the official MLflow website for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.