A command injection vulnerability in MLflow's model serving container initialization allows attackers to execute arbitrary commands by supplying malic...
Description
A command injection vulnerability in MLflow's model serving container initialization allows attackers to execute arbitrary commands by supplying malicious model artifacts with unsanitized dependencies.
AI Analyst Comment
Remediation
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: MLflow
PRODUCT: MLflow
AFFECTED_VERSIONS: 3.8.0
---END_METADATA---
Description Summary:
A command injection vulnerability in MLflow's model serving container initialization allows attackers to execute arbitrary commands by supplying malicious model artifacts with unsanitized dependencies.
Executive Summary:
MLflow version 3.8.0 is subject to a critical command injection vulnerability that allows an attacker to achieve full system compromise through the deployment of malicious model artifacts.
Vulnerability Details
CVE-ID: CVE-2025-15379
Affected Software: MLflow
Affected Versions: 3.8.0
Vulnerability: This flaw exists in the
_install_model_dependencies_to_env()function where dependency specifications frompython_env.yamlare interpolated into shell commands without sanitization. An attacker with the ability to supply or register a malicious model artifact can trigger arbitrary code execution when the model is deployed using theLOCALenvironment manager.Business Impact
A successful exploit grants the attacker the same privileges as the MLflow service, potentially leading to total loss of confidentiality, integrity, and availability. Given the CVSS score of 10.0, this represents the highest possible risk, as it could allow for data exfiltration, lateral movement within the infrastructure, and permanent system damage.
Remediation Plan
Immediate Action: Upgrade MLflow to version 3.8.2 or later immediately to patch the vulnerable container initialization logic.
Proactive Monitoring: Review system logs for unusual shell command execution originating from the MLflow model serving process and monitor for unauthorized model registration activities.
Compensating Controls: Restrict model deployment permissions to trusted personnel and implement network segmentation to isolate model serving containers from sensitive internal resources.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Mar 30, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw and the ease with which a malicious artifact can be crafted, the potential for exploitation is extremely high.
Analyst Recommendation
The severity of this command injection flaw cannot be overstated, as indicated by the CVSS 10.0 rating. Organizations utilizing MLflow for model serving must prioritize the update to version 3.8.2 to mitigate the risk of arbitrary command execution and potential infrastructure takeover.