Cyber Resilience

CVE-2025-15379

CriticalPublic PoCRCEUpdated

Published: 30 March 2026

Published
30 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0236 81.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-15379 is a critical-severity Command Injection (CWE-77) vulnerability in Lfprojects Mlflow. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 18.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell…

more

command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mlflow

Related Threats

CVEs Like This One

CVE-2026-4399Shared CWE-77
CVE-2026-22864Shared CWE-77
CVE-2026-21518Shared CWE-77
CVE-2024-57590Shared CWE-77
CVE-2026-21638Shared CWE-77
CVE-2025-64090Shared CWE-77
CVE-2025-55125Shared CWE-77
CVE-2024-57036Shared CWE-77
CVE-2026-30615Shared CWE-77
CVE-2026-26791Shared CWE-77

Affected Assets

lfprojects
mlflow
3.8.0 — 3.8.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References