PatchSiren cyber security CVE debrief
CVE-2025-15031 mlflow CVE debrief
CVE-2025-15031 is a critical vulnerability in MLflow's pyfunc extraction process. The issue arises from the use of `tarfile.extractall` without path validation, enabling crafted tar.gz files to escape the intended extraction directory. This can lead to arbitrary file overwrites and potential remote code execution. The vulnerability affects the latest version of MLflow and poses a high/critical risk, especially in multi-tenant environments or when ingesting untrusted artifacts. The CVE was published on March 18, 2026, and last modified on June 30, 2026.
- Vendor
- mlflow
- Product
- mlflow/mlflow
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-18
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-18
- Advisory updated
- 2026-06-30
Who should care
Organizations using MLflow, especially in multi-tenant environments or those ingesting untrusted artifacts, should prioritize patching this vulnerability. Security teams and administrators responsible for MLflow deployments need to assess their exposure and apply necessary mitigations. Developers working with MLflow should also be aware of the risks associated with ingesting untrusted artifacts.
Technical summary
The vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of `tarfile.extractall` without path validation enables crafted tar.gz files containing `..` or absolute paths to escape the intended extraction directory. This issue affects the latest version of MLflow (prior to 3.10.1) and can lead to arbitrary file overwrites and potential remote code execution. The CVSS score for this vulnerability is 9.1, indicating a critical severity.
Defensive priority
This vulnerability requires immediate attention due to its critical severity and potential for remote code execution. Organizations should prioritize patching MLflow to version 3.10.1 or later.
Recommended defensive actions
- Update MLflow to version 3.10.1 or later to patch the vulnerability.
- Implement strict validation of tar archive entries to prevent arbitrary file writes.
- Restrict access to MLflow deployments, especially in multi-tenant environments.
- Monitor for suspicious activity related to MLflow artifact ingestion.
- Perform thorough inventory checks of MLflow deployments to identify potential exposure.
Evidence notes
The CVE-2025-15031 vulnerability was published on March 18, 2026, and last modified on June 30, 2026. The vulnerability affects MLflow versions prior to 3.10.1. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating a critical severity with a score of 9.1. The weakness associated with this vulnerability is CWE-22, Improper Limitation of a Pathname to a Restricted Directory.
Official resources
-
CVE-2025-15031 CVE record
CVE.org
-
CVE-2025-15031 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Third Party Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.