Platform
python
Component
mlflow
Fixed in
3.8.2
3.9.0rc0
CVE-2025-15379 is a critical command injection vulnerability discovered in MLflow, a platform for managing the machine learning lifecycle. This flaw allows attackers to execute arbitrary commands on systems deploying models with a malicious artifact. The vulnerability impacts MLflow versions up to 3.8.0rc0 and has been resolved in version 3.8.1.
The vulnerability resides within MLflow's model serving container initialization process. Specifically, when using the LOCAL environment manager, MLflow reads dependency specifications from the model artifact's pythonenv.yaml file. Critically, this file is directly interpolated into a shell command without any sanitization. An attacker can craft a malicious pythonenv.yaml file within a model artifact, injecting arbitrary commands that will be executed during the model deployment phase. This could lead to complete system compromise, data exfiltration, or the installation of persistent malware. The blast radius extends to any system involved in deploying models using affected MLflow versions, potentially impacting production environments and sensitive data.
This vulnerability has gained attention due to its critical severity and potential for widespread impact. While no public exploits have been widely reported, the ease of exploitation makes it a high-priority concern. The vulnerability was publicly disclosed on 2026-03-30. Its severity is reflected in its CVSS score of 10.0 (CRITICAL).
Exploit Status
EPSS
0.24% (47% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade MLflow to version 3.8.1 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing a WAF rule to filter shell commands within the pythonenv.yaml file, specifically looking for suspicious characters or patterns. As a temporary workaround, restrict the deployment of models from untrusted sources. Thoroughly review all model artifacts before deployment to identify potentially malicious content. After upgrading, confirm the fix by attempting to deploy a model with a known malicious pythonenv.yaml file and verifying that the command injection is prevented.
Update MLflow to version 3.8.2 or higher. This corrects the command injection vulnerability in the model serving container initialization. The update will prevent arbitrary command execution when deploying models with `env_manager=LOCAL`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15379 is a critical command injection vulnerability in MLflow versions up to 3.8.0rc0. It allows attackers to execute arbitrary commands during model deployment by crafting malicious model artifacts.
You are affected if you are using MLflow versions 3.8.0 or earlier and deploying models using the LOCAL environment manager. Upgrade to 3.8.1 to mitigate the risk.
The recommended fix is to upgrade MLflow to version 3.8.1 or later. As a temporary workaround, implement WAF rules or restrict deployment of models from untrusted sources.
While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation makes it a high-priority concern. Active exploitation is possible.
Refer to the MLflow security advisory for detailed information and updates: [https://mlflow.org/docs/security](https://mlflow.org/docs/security)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.