CVE-2025-15031
Published: 18 March 2026
Summary
CVE-2025-15031 is a critical-severity Path Traversal (CWE-22) vulnerability in Lfprojects Mlflow. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of tar archive entry paths to block path traversal and prevent arbitrary file writes outside the intended extraction directory.
Mandates timely identification, reporting, and correction of the specific software flaw in MLflow's pyfunc extraction process using tarfile.extractall.
Enforces least privilege on MLflow processes to restrict the locations and impact of arbitrary file overwrites in multi-tenant environments.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote attackers to supply crafted tar.gz files to a public-facing MLflow service, enabling arbitrary file writes via path traversal, directly mapping to exploitation of a public-facing application.
NVD Description
A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of `tarfile.extractall` without path validation enables crafted tar.gz files containing `..` or absolute paths to escape the…
more
intended extraction directory. This issue affects the latest version of MLflow and poses a high/critical risk in scenarios involving multi-tenant environments or ingestion of untrusted artifacts, as it can lead to arbitrary file overwrites and potential remote code execution.
Deeper analysisAI
CVE-2025-15031 is a vulnerability in MLflow's pyfunc extraction process that enables arbitrary file writes due to improper handling of tar archive entries. The issue arises from the use of `tarfile.extractall` without path validation, allowing crafted tar.gz files containing `..` or absolute paths to escape the intended extraction directory. This affects the latest version of MLflow.
The vulnerability has a CVSS score of 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating exploitation over the network with low complexity, no privileges or user interaction required. Remote attackers who can supply a malicious tar.gz file to the pyfunc extraction process can achieve arbitrary file overwrites, potentially leading to remote code execution. It poses a high/critical risk in multi-tenant environments or when ingesting untrusted artifacts.
Mitigation details are available in advisories such as the Huntr bounty report at https://huntr.com/bounties/09856f77-f968-446f-a930-657d126efe4e.
Given MLflow's role in machine learning workflows, this CWE-22 path traversal issue is particularly relevant to AI/ML deployments handling model artifacts.
Details
- CWE(s)