PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-15031 mlflow CVE debrief

CVE-2025-15031 is a critical vulnerability in MLflow's pyfunc extraction process. The issue arises from the use of `tarfile.extractall` without path validation, enabling crafted tar.gz files to escape the intended extraction directory. This can lead to arbitrary file overwrites and potential remote code execution. The vulnerability affects the latest version of MLflow and poses a high/critical risk, especially in multi-tenant environments or when ingesting untrusted artifacts. The CVE was published on March 18, 2026, and last modified on June 30, 2026.

Vendor
mlflow
Product
mlflow/mlflow
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-18
Original CVE updated
2026-06-30
Advisory published
2026-03-18
Advisory updated
2026-06-30

Who should care

Organizations using MLflow, especially in multi-tenant environments or those ingesting untrusted artifacts, should prioritize patching this vulnerability. Security teams and administrators responsible for MLflow deployments need to assess their exposure and apply necessary mitigations. Developers working with MLflow should also be aware of the risks associated with ingesting untrusted artifacts.

Technical summary

The vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of `tarfile.extractall` without path validation enables crafted tar.gz files containing `..` or absolute paths to escape the intended extraction directory. This issue affects the latest version of MLflow (prior to 3.10.1) and can lead to arbitrary file overwrites and potential remote code execution. The CVSS score for this vulnerability is 9.1, indicating a critical severity.

Defensive priority

This vulnerability requires immediate attention due to its critical severity and potential for remote code execution. Organizations should prioritize patching MLflow to version 3.10.1 or later.

Recommended defensive actions

  • Update MLflow to version 3.10.1 or later to patch the vulnerability.
  • Implement strict validation of tar archive entries to prevent arbitrary file writes.
  • Restrict access to MLflow deployments, especially in multi-tenant environments.
  • Monitor for suspicious activity related to MLflow artifact ingestion.
  • Perform thorough inventory checks of MLflow deployments to identify potential exposure.

Evidence notes

The CVE-2025-15031 vulnerability was published on March 18, 2026, and last modified on June 30, 2026. The vulnerability affects MLflow versions prior to 3.10.1. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating a critical severity with a score of 9.1. The weakness associated with this vulnerability is CWE-22, Improper Limitation of a Pathname to a Restricted Directory.

Official resources

This article is AI-assisted and based on the supplied source corpus.