Cyber Resilience

CVE-2025-15031

CriticalPublic PoCUpdated

Published: 18 March 2026

Published
18 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0071 48.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-15031 is a critical-severity Path Traversal (CWE-22) vulnerability in Lfprojects Mlflow. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Machine Learning Libraries; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-15031 is a vulnerability in MLflow's pyfunc extraction process that enables arbitrary file writes due to improper handling of tar archive entries. The issue arises from the use of `tarfile.extractall` without path validation, allowing crafted tar.gz files containing `..` or absolute paths to escape the intended extraction directory. This affects the latest version of MLflow.

The vulnerability has a CVSS score of 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating exploitation over the network with low complexity, no privileges or user interaction required. Remote attackers who can supply a malicious tar.gz file to the pyfunc extraction process can achieve arbitrary file overwrites, potentially leading to remote code execution. It poses a high/critical risk in multi-tenant environments or when ingesting untrusted artifacts.

Mitigation details are available in advisories such as the Huntr bounty report at https://huntr.com/bounties/09856f77-f968-446f-a930-657d126efe4e.

Given MLflow's role in machine learning workflows, this CWE-22 path traversal issue is particularly relevant to AI/ML deployments handling model artifacts.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of `tarfile.extractall` without path validation enables crafted tar.gz files containing `..` or absolute paths to escape the…

more

intended extraction directory. This issue affects the latest version of MLflow and poses a high/critical risk in scenarios involving multi-tenant environments or ingestion of untrusted artifacts, as it can lead to arbitrary file overwrites and potential remote code execution.

CWE(s)

AI Security AnalysisAI

AI Category
Machine Learning Libraries
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mlflow

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows remote attackers to supply crafted tar.gz files to a public-facing MLflow service, enabling arbitrary file writes via path traversal, directly mapping to exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-11201Same product: Lfprojects Mlflow
CVE-2026-2652Same product: Lfprojects Mlflow
CVE-2025-11200Same product: Lfprojects Mlflow
CVE-2026-0545Same product: Lfprojects Mlflow
CVE-2025-14287Same product: Lfprojects Mlflow
CVE-2025-1473Same product: Lfprojects Mlflow
CVE-2024-8859Same product: Lfprojects Mlflow
CVE-2026-0596Same product: Lfprojects Mlflow
CVE-2026-4035Same product: Lfprojects Mlflow
CVE-2025-0453Same product: Lfprojects Mlflow

Affected Assets

lfprojects
mlflow
≤ 3.10.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of tar archive entry paths to block path traversal and prevent arbitrary file writes outside the intended extraction directory.

prevent

Mandates timely identification, reporting, and correction of the specific software flaw in MLflow's pyfunc extraction process using tarfile.extractall.

prevent

Enforces least privilege on MLflow processes to restrict the locations and impact of arbitrary file overwrites in multi-tenant environments.

References