MLflow version 3.8.0 is subject to a critical command injection vulnerability that allows an attacker to achieve full system compromise through the deployment of malicious model artifacts.

This flaw exists in the _install_model_dependencies_to_env() function where dependency specifications from python_env.yaml are interpolated into shell commands without sanitization. An attacker with the ability to supply or register a malicious model artifact can trigger arbitrary code execution when the model is deployed using the LOCAL environment manager.

A successful exploit grants the attacker the same privileges as the MLflow service, potentially leading to total loss of confidentiality, integrity, and availability. Given the CVSS score of 10.0, this represents the highest possible risk, as it could allow for data exfiltration, lateral movement within the infrastructure, and permanent system damage.

Immediate Action: Upgrade MLflow to version 3.8.2 or later immediately to patch the vulnerable container initialization logic.

Proactive Monitoring: Review system logs for unusual shell command execution originating from the MLflow model serving process and monitor for unauthorized model registration activities.

Compensating Controls: Restrict model deployment permissions to trusted personnel and implement network segmentation to isolate model serving containers from sensitive internal resources.

Public Exploit Available: false

The severity of this command injection flaw cannot be overstated, as indicated by the CVSS 10.0 rating. Organizations utilizing MLflow for model serving must prioritize the update to version 3.8.2 to mitigate the risk of arbitrary command execution and potential infrastructure takeover.