CVE-2025-11201
Published: 29 October 2025
Summary
CVE-2025-11201 is a critical-severity Path Traversal (CWE-22) vulnerability in Lfprojects Mlflow. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the directory traversal vulnerability by requiring validation of user-supplied model file paths prior to file operations.
Ensures timely patching of the specific flaw in MLflow Tracking Server, as evidenced by the available commit fix for CVE-2025-11201.
Enforces restrictions on user-supplied inputs at system boundaries to block malformed paths like directory traversal sequences targeting model creation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-11201 is an unauthenticated remote code execution vulnerability via directory traversal in the public-facing MLflow Tracking Server, directly enabling exploitation of public-facing applications (T1190).
NVD Description
MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within…
more
the handling of model file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26921.
Deeper analysisAI
CVE-2025-11201 is a remote code execution vulnerability affecting the MLflow Tracking Server, stemming from a directory traversal flaw (CWE-22) in the handling of model file paths during model creation. The issue arises due to insufficient validation of user-supplied paths before they are used in file operations, allowing attackers to manipulate paths arbitrarily. This critical vulnerability, assigned a CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), impacts affected installations of the MLflow Tracking Server and was previously tracked as ZDI-CAN-26921.
Remote attackers can exploit this vulnerability over the network without authentication, requiring no user interaction or privileges. Successful exploitation enables the execution of arbitrary code in the context of the service account running the MLflow Tracking Server, potentially leading to full system compromise including high confidentiality, integrity, and availability impacts.
Advisories and patches provide mitigation guidance: a fix is implemented in MLflow via the commit at https://github.com/B-Step62/mlflow/commit/2e02bc7bb70df243e6eb792689d9b8eba0013161, and detailed analysis is available in the Zero Day Initiative advisory at https://www.zerodayinitiative.com/advisories/ZDI-25-931/.
MLflow's role in managing machine learning experiment tracking and model deployment introduces AI/ML relevance, as vulnerable tracking servers could expose ML workflows to remote code execution risks.
Details
- CWE(s)