{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15379", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2025-12-30T21:24:21.058Z", "datePublished": "2026-03-30T07:16:57.610Z", "dateUpdated": "2026-03-31T13:50:57.378Z"}, "containers": {"cna": {"title": "Command Injection in mlflow/mlflow", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-03-30T07:16:57.610Z"}, "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2."}], "affected": [{"vendor": "mlflow", "product": "mlflow/mlflow", "versions": [{"version": "unspecified", "lessThan": "3.8.2", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/dc9c1c20-7879-4050-87df-4d095fe5ca75"}, {"url": "https://github.com/mlflow/mlflow/commit/361b6f620adf98385c6721e384fb5ef9a30bb05e"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')", "cweId": "CWE-77"}]}], "source": {"advisory": "dc9c1c20-7879-4050-87df-4d095fe5ca75", "discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T03:55:37.623494Z", "id": "CVE-2025-15379", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T13:50:57.378Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15379", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-31T03:55:37.623494Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T13:34:44.912Z"}}], "cna": {"title": "Command Injection in mlflow/mlflow", "source": {"advisory": "dc9c1c20-7879-4050-87df-4d095fe5ca75", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "CHANGED", "version": "3.0", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "mlflow", "product": "mlflow/mlflow", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "3.8.2", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/dc9c1c20-7879-4050-87df-4d095fe5ca75"}, {"url": "https://github.com/mlflow/mlflow/commit/361b6f620adf98385c6721e384fb5ef9a30bb05e"}], "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-03-30T07:16:57.610Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15379", "state": "PUBLISHED", "dateUpdated": "2026-03-30T13:34:48.736Z", "dateReserved": "2025-12-30T21:24:21.058Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2026-03-30T07:16:57.610Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "CB8C7729-F7F9-4179-B66D-4E76EFE4115D", "versionEndIncluding": "3.8.1", "versionStartIncluding": "3.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2."}, {"lang": "es", "value": "Existe una vulnerabilidad de inyecci\u00f3n de comandos en el c\u00f3digo de inicializaci\u00f3n del contenedor de servicio de modelos de MLflow, espec\u00edficamente en la funci\u00f3n `_install_model_dependencies_to_env()`. Al desplegar un modelo con `env_manager=LOCAL`, MLflow lee las especificaciones de dependencia del archivo `python_env.yaml` del artefacto del modelo y las interpola directamente en un comando de shell sin sanitizaci\u00f3n. Esto permite a un atacante suministrar un artefacto de modelo malicioso y lograr la ejecuci\u00f3n arbitraria de comandos en sistemas que despliegan el modelo. La vulnerabilidad afecta a las versiones 3.8.0 y est\u00e1 corregida en la versi\u00f3n 3.8.2."}], "id": "CVE-2025-15379", "lastModified": "2026-04-28T14:26:00.520", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-30T08:16:15.667", "references": [{"source": "security@huntr.dev", "tags": ["Patch"], "url": "https://github.com/mlflow/mlflow/commit/361b6f620adf98385c6721e384fb5ef9a30bb05e"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.com/bounties/dc9c1c20-7879-4050-87df-4d095fe5ca75"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "security@huntr.dev", "type": "Primary"}]}

{"bugzilla": {"description": "mlflow: MLflow: Arbitrary command execution via command injection in model serving container initialization.", "id": "2452949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452949"}, "csaw": false, "cvss3": {"cvss3_base_score": "10.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-78", "details": ["A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2.", "A flaw was found in MLflow. When deploying a model with `env_manager=LOCAL`, MLflow's model serving container initialization code, specifically the `_install_model_dependencies_to_env()` function, reads dependency specifications from the model artifact's `python_env.yaml` file. An attacker can supply a malicious model artifact, leading to command injection as these specifications are directly interpolated into a shell command without proper sanitization. This allows for arbitrary command execution on systems deploying the malicious model."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, avoid deploying MLflow models with `env_manager=LOCAL`. If using `env_manager=LOCAL` is unavoidable, ensure that all model artifacts, particularly their `python_env.yaml` files, originate from trusted sources and are thoroughly vetted for malicious content. This operational control helps prevent the injection of arbitrary commands during model serving container initialization."}, "name": "CVE-2025-15379", "package_state": [{"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-mlflow-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-training-cuda128-torch29-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-03-30T07:16:57Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-15379\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-15379\nhttps://github.com/mlflow/mlflow/commit/361b6f620adf98385c6721e384fb5ef9a30bb05e\nhttps://huntr.com/bounties/dc9c1c20-7879-4050-87df-4d095fe5ca75"], "statement": "This vulnerability in MLflow allows for arbitrary command execution when deploying a model with `env_manager=LOCAL`. An attacker can supply a malicious model artifact containing a crafted `python_env.yaml` file, leading to command injection during container initialization. During the deployment of the model MLflow passes the maliciously crafted requirement string to the shell command without properly sanitization of possible command injections, as consequence the attacker may be able to execute arbitrary code at the same permission level as the user running the MLflow process.", "threat_severity": "Critical"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.8.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "mlflow/mlflow", "source": "cna", "vendor": "mlflow"}, "product": "mlflow", "vendor": "mlflow"}], "analysis": {"en": {"generated_at": "2026-04-29T00:37:30.434135+00:00", "value": {"mitigation_remediation": ["Upgrade MLflow to version 3.8.2 or later", "If an upgrade cannot be performed immediately, restrict the env_manager to a secure mode or limit deployment to trusted users only", "Audit all model artifacts for malicious python_env.yaml entries and remove or sanitize any that pose a risk", "Implement a peer\u2011review or automated linting process to prevent injection payloads from entering the artifact repository"], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Command Execution"}, "threat_synthesis": {"affected_systems": "Version 3.8.0 of the open-source MLflow project (mlflow:mlflow/mlflow) is affected. The fix was introduced in version 3.8.2. The issue arises when a model is deployed with the default LOCAL environment manager and does not involve other external packages.", "description_and_impact": "MLflow\u2019s model serving initialization performs shell command construction by reading dependency lists from a model artifact\u2019s python_env.yaml file without sanitization. This creates a command injection flaw that allows attackers to include malicious text in the yaml and cause the MLflow service to execute arbitrary shell commands. The weakness is classified as OS Command Injection (CWE-77) and Command Injection (CWE-78), and can compromise the host on which the model is served, enabling attackers to gain full control of the machine.", "risk_and_exploitability": "An attacker can exploit this by uploading a crafted python_env.yaml in a model artifact and deploying it to a server running MLflow with the local environment manager. Because the payload runs in the same shell context as the MLflow service, the attack only requires permission to upload a model artifact. The CVSS v3.1 base score of 9.8 signals complete privilege escalation, while the EPSS score of less than 1% indicates a low probability of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog, but that does not change the severity of the flaw."}}}}, "created": "2026-03-30T20:56:05.461945+00:00", "updated": "2026-04-29T00:45:26.159372+00:00", "vendors": ["mlflow", "mlflow$PRODUCT$mlflow"]}