{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14287", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2025-12-08T19:06:12.739Z", "datePublished": "2026-03-15T09:27:36.706Z", "dateUpdated": "2026-03-17T12:44:13.631Z"}, "containers": {"cna": {"title": "Command Injection in mlflow/mlflow", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-03-15T09:27:36.706Z"}, "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization, which are then executed using `os.system()`. This allows attackers to execute arbitrary commands by supplying malicious input through the `--container` parameter of the CLI. The issue affects environments where MLflow is used, including development setups, CI/CD pipelines, and cloud deployments."}], "affected": [{"vendor": "mlflow", "product": "mlflow/mlflow", "versions": [{"version": "unspecified", "status": "affected", "versionType": "custom", "lessThanOrEqual": "latest"}]}], "references": [{"url": "https://huntr.com/bounties/229cd526-41aa-4819-b6f0-e2d0371c89e3"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code", "cweId": "CWE-94"}]}], "source": {"advisory": "229cd526-41aa-4819-b6f0-e2d0371c89e3", "discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T03:55:37.361001Z", "id": "CVE-2025-14287", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T12:44:13.631Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14287", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-17T03:55:37.361001Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T12:44:10.328Z"}}], "cna": {"title": "Command Injection in mlflow/mlflow", "source": {"advisory": "229cd526-41aa-4819-b6f0-e2d0371c89e3", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "mlflow", "product": "mlflow/mlflow", "versions": [{"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "latest"}]}], "references": [{"url": "https://huntr.com/bounties/229cd526-41aa-4819-b6f0-e2d0371c89e3"}], "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization, which are then executed using `os.system()`. This allows attackers to execute arbitrary commands by supplying malicious input through the `--container` parameter of the CLI. The issue affects environments where MLflow is used, including development setups, CI/CD pipelines, and cloud deployments."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-03-15T09:27:36.706Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14287", "state": "PUBLISHED", "dateUpdated": "2026-03-17T12:44:13.631Z", "dateReserved": "2025-12-08T19:06:12.739Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2026-03-15T09:27:36.706Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lfprojects:mlflow:*:-:*:*:*:*:*:*", "matchCriteriaId": "6067BA6F-1194-4135-AAB5-56C8393D3260", "versionEndExcluding": "3.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization, which are then executed using `os.system()`. This allows attackers to execute arbitrary commands by supplying malicious input through the `--container` parameter of the CLI. The issue affects environments where MLflow is used, including development setups, CI/CD pipelines, and cloud deployments."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n de comandos existe en las versiones de mlflow/mlflow anteriores a la v3.7.0, espec\u00edficamente en el archivo 'mlflow/sagemaker/__init__.py' en las l\u00edneas 161-167. La vulnerabilidad surge de la interpolaci\u00f3n directa de nombres de im\u00e1genes de contenedores proporcionados por el usuario en comandos de shell sin una sanitizaci\u00f3n adecuada, los cuales son luego ejecutados usando 'os.system()'. Esto permite a los atacantes ejecutar comandos arbitrarios al proporcionar entrada maliciosa a trav\u00e9s del par\u00e1metro '--container' de la CLI. El problema afecta a los entornos donde se utiliza MLflow, incluyendo configuraciones de desarrollo, pipelines de CI/CD y despliegues en la nube."}], "id": "CVE-2025-14287", "lastModified": "2026-04-14T16:48:14.020", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-16T14:17:55.610", "references": [{"source": "security@huntr.dev", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.com/bounties/229cd526-41aa-4819-b6f0-e2d0371c89e3"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@huntr.dev", "type": "Primary"}]}

{"bugzilla": {"description": "mlflow: MLflow: Arbitrary command execution via unsanitized container image names", "id": "2447690", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447690"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-78", "details": ["A flaw was found in MLflow, a platform for managing the machine learning lifecycle. This vulnerability, known as command injection, allows an attacker to execute unauthorized commands on the system. By providing specially crafted input through the `--container` parameter, an attacker can bypass security checks and inject malicious code. This can lead to arbitrary command execution, potentially compromising the integrity and confidentiality of the affected system."], "name": "CVE-2025-14287", "package_state": [{"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-mlflow-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-training-cuda128-torch29-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-03-15T09:27:36Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-14287\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-14287\nhttps://huntr.com/bounties/229cd526-41aa-4819-b6f0-e2d0371c89e3"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "mlflow/mlflow", "source": "cna", "vendor": "mlflow"}, "product": "mlflow", "vendor": "mlflow"}], "analysis": {"en": {"generated_at": "2026-04-14T20:26:45.607049+00:00", "value": {"mitigation_remediation": ["Upgrade mlflow to version 3.7.0 or later.", "If the application does not require the --container feature, disable or remove its usage.", "Apply input validation or sanitization on the container name before executing os.system, or replace os.system with a safer API.", "Restrict access to the MLflow CLI or the underlying process to trusted users only.", "Monitor logs for suspicious command execution and review CI/CD pipelines for unpatched instances."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The issue is present in the mlflow/mlflow open\u2011source project, affecting any deployment that includes the mlflow version earlier than 3.7.0. Users running MLflow in development machines, CI/CD pipelines, or cloud services should verify their installed version and apply updates if necessary. The file mlflow/sagemaker/__init__.py is where the injection occurs, impacting any environment that uses the sagemaker integration and accepts the --container parameter.", "description_and_impact": "This vulnerability allows an attacker to execute arbitrary shell commands within the MLflow process. It occurs in versions of mlflow before 3.7.0 where the CLI parameter --container is directly inserted into a shell command via os.system without sanitization. The flaw is a classic command injection (CWE\u201178, CWE\u201194). If exploited, the attacker could compromise confidentiality, integrity, and availability of the system and potentially access sensitive data or disrupt services.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity, and the EPSS score below 1% suggests low current exploitation probability, though the risk remains significant. The vulnerability is not listed in CISA's KEV catalog. Exploitation would follow an attack path where a privileged user or an attacker with access to the MLflow CLI supplies a malicious value for --container. In environments where the CLI is exposed or accessible by untrusted users, the attack could be performed remotely. Mitigation requires patching or removing the vulnerable code path, as the issue stems from unsanitized user input."}}}}, "created": "2026-03-16T09:21:56.318157+00:00", "updated": "2026-04-15T16:45:09.841806+00:00", "vendors": ["mlflow", "mlflow$PRODUCT$mlflow"]}