MLflow versions prior to v3.7.0 are vulnerable to a critical path traversal flaw that enables attackers to overwrite system files and potentially escape sandbox environments.

The vulnerability resides in the extract_archive_to_dir function within the artifact cache component, which fails to validate member paths during tar extraction. An attacker who can upload or provide a specially crafted tar.gz file can use directory traversal sequences (e.g., ../) to write files outside the intended directory.

Successful exploitation can lead to arbitrary file overwrites, which may result in privilege escalation, system instability, or full sandbox escape in multi-tenant environments. The CVSS score of 9.6 highlights the critical nature of this vulnerability and the high risk of unauthorized data access and system compromise.

Immediate Action: Upgrade MLflow to version v3.7.0 or higher to implement proper path validation during archive extraction.

Proactive Monitoring: Scan the file system for unexpected files created outside of the MLflow artifact directories and monitor for suspicious file write operations.

Compensating Controls: Use containerization with restricted file system permissions (read-only where possible) to limit the impact of a successful path traversal attack.

Public Exploit Available: false

The ability to overwrite arbitrary files poses a significant risk to the integrity of the MLflow platform. It is strongly recommended that all users update to version v3.7.0 immediately to mitigate the risk of sandbox escapes and unauthorized system modification.