AI Threat Alert
Patch MLflow to 3.0.0 immediately — this is unauthenticated RCE over the network, zero skills required, and MLflow Tracking Servers are routinely exposed on internal data science networks or cloud environments. If you cannot patch now, firewall the instance to known CI/CD IPs only and treat any previously exposed deployment as compromised. Rotate all credentials accessible from the MLflow host.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| mlflow | pip | >= 3.0.0rc0, < 3.0.0 | 3.0.0 |
| mlflow | pip | — | No patch |
Severity & Risk
Recommended Action
- 1. PATCH: Upgrade to MLflow 3.0.0 immediately (confirmed fixes in commits e7dc057 and 5f98ff9 in mlflow/mlflow repo). 2. ISOLATE: If immediate patching is blocked, firewall MLflow Tracking Server to restrict access to known internal CI/CD IPs only — block all external and lateral access. 3. LEAST PRIVILEGE: Audit MLflow service account permissions; revoke any cloud admin or broad S3/storage roles not strictly required. 4. DETECT: Search access logs for path traversal patterns in model creation API calls — look for '../', '%2e%2e', or unusual absolute paths. Set alerts on these patterns. 5. AUDIT FOR COMPROMISE: Inspect the MLflow host for unexpected files, new scheduled tasks, or anomalous outbound connections that may indicate prior exploitation. 6. ROTATE: As a precaution, rotate all credentials (cloud keys, DB passwords, API tokens) accessible from the MLflow host environment.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of model file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26921.
Exploitation Scenario
Attacker scans cloud environments for MLflow Tracking Servers on default ports (5000/5001) using Shodan or targeted AWS/GCP enumeration. Sends a crafted HTTP POST to the model file creation endpoint with a path traversal payload (e.g., '../../etc/cron.d/backdoor' or a writable path outside the intended directory) to drop an arbitrary file on the server filesystem. No credentials or prior access required. Payload writes a reverse shell cron job or web shell. Attacker gains code execution as the MLflow service account and immediately queries the cloud metadata endpoint for IAM credentials, then exfiltrates model weights, training data, and stored experiment artifacts. Full attack chain executable in under five minutes with a basic proof-of-concept script.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References
- github.com/B-Step62/mlflow/commit/2e02bc7bb70df243e6eb792689d9b8eba0013161
- github.com/advisories/GHSA-5cvj-7rg6-jggj
- github.com/mlflow/mlflow/commit/5f98ff98659dddb188591ecf6b10a4e276a0dba7
- github.com/mlflow/mlflow/commit/e7dc0574fa3459e0003cfeb68d4e4a625491f03d
- nvd.nist.gov/vuln/detail/CVE-2025-11201
- zerodayinitiative.com/advisories/ZDI-25-931
- github.com/B-Step62/mlflow/commit/2e02bc7bb70df243e6eb792689d9b8eba0013161 Patch
- zerodayinitiative.com/advisories/ZDI-25-931/ 3rd Party