CVE-2025-15036

Published Mar 30, 2026

Last updated 17 days ago

CVSS critical 10.0
MLflow

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-15036 is a path traversal vulnerability found in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This flaw affects versions prior to v3.7.0. The vulnerability arises from insufficient validation of tar member paths during archive extraction. An attacker who can control the tar.gz file can exploit this to overwrite arbitrary files or achieve elevated privileges, potentially enabling them to escape the sandbox directory in multi-tenant or shared cluster environments.

Description
A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments.
Source
security@huntr.dev
NVD status
Analyzed
Products
mlflow

Risk scores

CVSS 3.1

Type
Primary
Base score
10
Impact score
6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

CVSS 3.0

Type
Secondary
Base score
9.6
Impact score
6
Exploitability score
2.8
Vector string
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@huntr.dev
CWE-29

Social media

Hype score
Not currently trending

  1. A critical path traversal vulnerability (CVE-2025-15036) has been identified in MLflow with a CVSS score of 9.6. The extract_archive_to_dir function within mlflow/pyfunc/dbconnect_artifact_cache.py lacks validation of tar member paths during extraction. An attacker with control

    @CheckmarxZero

    2 Apr 2026

    103 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. A critical path traversal vulnerability (CVE-2025-15036) has been identified in `MLFlow`. This flaw could allow unauthorized access to sensitive files. Assess your #MLFlow deployments and prepare for #patching. More details: https://t.co/nDDu9BmBmz

    @pulsepatchio

    1 Apr 2026

    148 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. ⚡ New CVE Alert: CVE-2025-15036 📊 Severity: 9.6 🚨 Risk Level: Critical 🧩 Affects: Multiple / Unspecified Products Reference: https://t.co/o90kGger0p #CVE-2025-15036 #CVE #Critical #CyberSecurity #InfoSec https://t.co/i7olyMNzuP

    @CVEarity

    30 Mar 2026

    136 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-15036 A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow reposi… https://t.co/V9RZEb0SDJ

    @CVEnew

    30 Mar 2026

    90 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 🚨 CYBERDUDEBIVASH SENTINEL APEX ALERT 🚨 Threat: CVE-2025-15036 - Path Traversal Vulnerability in mlflow/mlflow Intel Report: https://t.co/dVi8iXe7yY

    @cyberbivash

    30 Mar 2026

    125 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. [CVE-2025-15036: CRITICAL] Critical path traversal vulnerability identified in mlflow repository's `extract_archive_to_dir` function allowing attackers to overwrite files or attain higher privileges pre v3.7.0.#cve,CVE-2025-15036,#cybersecurity https://t.co/mgMvf6dgDr

    @CveFindCom

    30 Mar 2026

    94 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🔴 CVE-2025-15036 - Critical A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerabil... https://t.co/7cLOrG0Ed0 https://t.co/0ZsC4YNqu0

    @TheHackerWire

    30 Mar 2026

    142 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 🚨 CVE-2025-15036: Path Traversal Vulnerability in ... MLFlow's tar extraction bypasses path validation—classic zip slip in ML pipelines means one malicious model archive own... https://t.co/qKVNIc67VG #netsec #vulnerability #CVE #sysadmin #zeroday

    @0dayPublishing

    30 Mar 2026

    159 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access. This issue affects MLflow version through 3.10.1CVE-2026-33866
  2. MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim. This issue affects MLflow version through 3.10.1CVE-2026-33865
  3. In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if jobs are deemed safe, this still constitutes an authentication bypass, potentially resulting in job spam, denial of service (DoS), or data exposure in job results.CVE-2026-0545
  4. A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks, it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users.CVE-2026-0596
  5. A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2.CVE-2025-15379

References

Sources include official advisories and independent security research.