CVE-2025-11201

Published Oct 29, 2025

Last updated 4 months ago

CVSS critical 9.8

Overview

Description
MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of model file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26921.
Source
zdi-disclosures@trendmicro.com
NVD status
Analyzed
Products
mlflow

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

CVSS 3.0

Type
Secondary
Base score
8.1
Impact score
5.9
Exploitability score
2.2
Vector string
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

zdi-disclosures@trendmicro.com
CWE-22

Social media

Hype score
Not currently trending

  1. CVE-2025-11201: Vulnerabilidad Crítica en MLflow Afecta la Seguridad de los Modelos de Machine Learning https://t.co/q3X2Oiglw9

    @Edodelatorred

    10 Nov 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-11201: Vulnerabilidad Crítica en MLflow Afecta la Seguridad de los Modelos de Machine Learning https://t.co/vsJl9boIIW

    @matarturo

    9 Nov 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. MLflow just had a bad week... Two CVEs dropped (CVE-2025-11200 (found be me 😆), CVE-2025-11201): authentication bypass via weak passwords + directory traversal RCE. Both unauthenticated, both trivial to exploit. Both submitted through the @thezdi program. If you're running

    @gothburz

    1 Nov 2025

    617 Impressions

    0 Retweets

    6 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  4. MLflow Tracking Server: CVE-2025-11201 Summary Directory traversal in MLflow Tracking Server allows remote code execution. Organizations should patch fast. For more details, read ZeroPath's blog on this vuln. #AppSec #InfoSec #MLflow https://t.co/ERmpsZlTn5

    @ZeroPathLabs

    29 Oct 2025

    63 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-11201 MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on… https://t.co/RTrOmOiVeZ

    @CVEnew

    29 Oct 2025

    325 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from weak password requirements. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26916.CVE-2025-11200
  2. In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user account management. The issue is fixed in version 2.19.0.CVE-2025-1474
  3. A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be used to perform unauthorized actions on behalf of the malicious user.CVE-2025-1473
  4. In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to respond to other requests. This vulnerability is due to uncontrolled resource consumption.CVE-2025-0453
  5. In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in its name due to the lack of a limit on the experiment name. This can cause the MLflow UI panel to become unresponsive, leading to a potential denial of service. Additionally, there is no character limit in the `artifact_location` parameter while creating the experiment.CVE-2024-6838

References

Sources include official advisories and independent security research.