CVE-2025-15379

Published Mar 30, 2026

Last updated 22 days ago

CVSS critical 9.8

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-15379 describes a command injection vulnerability found within the model serving container initialization code of MLflow. Specifically, the flaw resides in the `_install_model_dependencies_to_env()` function. When a model is deployed with `env_manager=LOCAL`, MLflow processes dependency specifications from the `python_env.yaml` file within the model artifact. The vulnerability arises because these specifications are directly incorporated into a shell command without proper sanitization, enabling an attacker to provide a malicious model artifact and execute arbitrary commands on systems deploying the model. This issue impacts MLflow versions 3.8.0 and has been addressed in version 3.8.2.

Description
A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2.
Source
security@huntr.dev
NVD status
Analyzed
Products
mlflow

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

CVSS 3.0

Type
Secondary
Base score
10
Impact score
6
Exploitability score
3.9
Vector string
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@huntr.dev
CWE-77

Social media

Hype score
Not currently trending

  1. `MLflow` is vulnerable to command injection (CVE-2025-15379), potentially allowing arbitrary code execution. Assess impact in your `MLflow` deployments. #MLflow #CommandInjection #InfoSec https://t.co/E0sk91Tfrr

    @pulsepatchio

    1 Apr 2026

    147 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. everyone is now panicking about AI hacking we've been AI hacking 10.0 critical in MLFlow by AI security agent waclaude (button pushed by me lol) CVE-2025-15379 https://t.co/P8zC6x5KlE

    @_colemurray

    31 Mar 2026

    1542 Impressions

    0 Retweets

    13 Likes

    3 Bookmarks

    1 Reply

    1 Quote

  3. CVE-2025-15379 A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function.… https://t.co/Pb2igaE07J

    @CVEnew

    30 Mar 2026

    107 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🔍 Today's Top Vulnerabilities 🔴 CVE-2025-15379 | CVSS 10.0 🔴 CVE-2026-32922 | CVSS 9.9 🔴 CVE-2026-32975 | CVSS 9.8 🔗 https://t.co/MGnNrzO0Nd #CVE #Vulnerability #ThreatIntel

    @ctiwatchcloud

    30 Mar 2026

    128 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  5. [CVE-2025-15379: CRITICAL] Critical command injection vulnerability in MLflow version 3.8.0 enables arbitrary command execution. Upgrade to version 3.8.2 to fix the security flaw. #CyberSecurity#cve,CVE-2025-15379,#cybersecurity https://t.co/u5G2s3hvaC

    @CveFindCom

    30 Mar 2026

    80 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  6. 🔴 CVE-2025-15379 - Critical A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a mod... https://t.co/NqgoSRzhBw https://t.co/FuHN61P2CN

    @TheHackerWire

    30 Mar 2026

    144 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🚨 CVE-2025-15379: Command Injection in mlflow/mlfl... MLflow's `python_env.yaml` parsing becomes a shell injection goldmine - malicious model artifacts = instant RCE on depl... https://t.co/2hP6djn3kR #netsec #vulnerability #CVE #sysadmin #zeroday

    @0dayPublishing

    30 Mar 2026

    158 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served via uvicorn (ASGI). The FastAPI permission middleware only enforces authentication on `/gateway/` routes, leaving other routes such as the Job API (`/ajax-api/3.0/jobs/*`) and the OpenTelemetry trace ingestion API (`/v1/traces`) unprotected. This allows unauthenticated remote attackers to submit jobs, read job results, cancel running jobs, and inject arbitrary trace data into experiments. The issue arises from an architectural mismatch between Flask and FastAPI authentication mechanisms, where the `_find_fastapi_validator()` function fails to handle non-`/gateway/` paths, resulting in a complete authentication bypass. This vulnerability is fixed in version 3.10.0.CVE-2026-2652
  2. MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access. This issue affects MLflow version through 3.10.1CVE-2026-33866
  3. MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim. This issue affects MLflow version through 3.10.1CVE-2026-33865
  4. In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and any job function is allowlisted, any network client can submit, read, search, and cancel jobs without credentials, bypassing basic-auth entirely. This can lead to unauthenticated remote code execution if allowed jobs perform privileged actions such as shell execution or filesystem changes. Even if jobs are deemed safe, this still constitutes an authentication bypass, potentially resulting in job spam, denial of service (DoS), or data exposure in job results.CVE-2026-0545
  5. A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks, it allows for command substitution and execution of attacker-controlled commands. This vulnerability affects the latest version of mlflow/mlflow and can lead to privilege escalation if a higher-privileged service serves models from a directory writable by lower-privileged users.CVE-2026-0596

References

Sources include official advisories and independent security research.