CVE-2025-15031

A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of `tarfile.extractall` without path validation enables crafted tar.gz files containing `..` or absolute paths to escape the intended extraction directory. This issue affects the latest version of MLflow and poses a high/critical risk in scenarios involving multi-tenant environments or ingestion of untrusted artifacts, as it can lead to arbitrary file overwrites and potential remote code execution.

An adversary with access to an MLflow tracking server — via compromised internal credentials, a malicious insider, or an upstream supply chain compromise — uploads a pyfunc model bundle packaged as a crafted tar.gz file. The archive contains entries with path traversal sequences such as `../../etc/cron.d/mlflow-backdoor` or `../../root/.ssh/authorized_keys`, each containing attacker-controlled content. When MLflow processes this artifact during model registration, loading, or automated evaluation in a CI/CD pipeline, `tarfile.extractall` writes these files to their traversed destinations without validation. On a bare-metal MLflow server, this achieves persistent RCE via cron or SSH key injection. On a Kubernetes pod with host path mounts (common in ML training setups), the traversal escapes the container and achieves host-level code execution — full cluster compromise is then a lateral movement step away.