Platform
python
Component
mlflow
Fixed in
3.9.0rc0
CVE-2025-15031 describes an Arbitrary File Access vulnerability discovered in MLflow, a platform for managing the machine learning lifecycle. This vulnerability arises from improper handling of tar archive entries during the pyfunc extraction process, allowing attackers to write files outside the intended directory. Versions of MLflow prior to 3.9.0rc0 are affected, and upgrading is the recommended solution.
The core of this vulnerability lies in MLflow's pyfunc extraction feature, which handles Python functions packaged as tar.gz archives. The tarfile.extractall function is used without proper path validation, meaning a malicious tar archive can contain entries with relative paths like ../sensitive_file or absolute paths. When extracted, these entries will overwrite files outside the intended extraction directory, potentially leading to arbitrary file overwrites. In multi-tenant environments, this could allow an attacker to overwrite critical configuration files or even inject malicious code, leading to remote code execution. The impact is particularly severe if MLflow is used to ingest untrusted artifacts, as this provides a direct attack vector.
CVE-2025-15031 was published on 2026-03-19. There is currently no public proof-of-concept available, and no confirmed exploitation campaigns have been observed. The vulnerability's severity is rated HIGH (CVSS:8.1), indicating a significant risk. Its impact is amplified in environments where untrusted artifacts are ingested into MLflow, making it a potential target for attackers seeking to compromise machine learning pipelines.
Exploit Status
EPSS
0.12% (30% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-15031 is to upgrade to MLflow version 3.9.0rc0 or later, which includes the necessary path validation fixes. If upgrading immediately is not feasible, consider implementing stricter artifact validation procedures before ingestion. Specifically, sanitize tar.gz archives to ensure they do not contain malicious path entries. While a WAF cannot directly prevent this vulnerability, it can be configured to monitor for suspicious file write attempts. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring file system integrity for unexpected modifications is crucial.
Actualice MLflow a la última versión disponible. Esto corrige la vulnerabilidad de path traversal al extraer archivos tar.gz, evitando la escritura de archivos arbitrarios y la posible ejecución remota de código.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15031 is a HIGH severity vulnerability in MLflow versions ≤3.8.1 that allows attackers to overwrite files due to improper path validation during tar archive extraction, potentially leading to remote code execution.
You are affected if you are using MLflow versions 3.8.1 or earlier. Upgrade to 3.9.0rc0 or later to mitigate the risk.
The recommended fix is to upgrade to MLflow version 3.9.0rc0 or later. Implement stricter artifact validation procedures as an interim measure.
Currently, there is no public proof-of-concept or confirmed exploitation campaigns associated with CVE-2025-15031, but the HIGH severity warrants immediate attention.
Refer to the MLflow security advisories page for the latest information and updates regarding CVE-2025-15031: [https://mlflow.org/security/advisories](https://mlflow.org/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.