CVE-2025-11201

CVE-2025-11201 is a remote code execution vulnerability affecting the MLflow Tracking Server, stemming from a directory traversal flaw (CWE-22) in the handling of model file paths during model creation. The issue arises due to insufficient validation of user-supplied paths before they are used in file operations, allowing attackers to manipulate paths arbitrarily. This critical vulnerability, assigned a CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), impacts affected installations of the MLflow Tracking Server and was previously tracked as ZDI-CAN-26921.

Remote attackers can exploit this vulnerability over the network without authentication, requiring no user interaction or privileges. Successful exploitation enables the execution of arbitrary code in the context of the service account running the MLflow Tracking Server, potentially leading to full system compromise including high confidentiality, integrity, and availability impacts.

Advisories and patches provide mitigation guidance: a fix is implemented in MLflow via the commit at https://github.com/B-Step62/mlflow/commit/2e02bc7bb70df243e6eb792689d9b8eba0013161, and detailed analysis is available in the Zero Day Initiative advisory at https://www.zerodayinitiative.com/advisories/ZDI-25-931/.

MLflow's role in managing machine learning experiment tracking and model deployment introduces AI/ML relevance, as vulnerable tracking servers could expose ML workflows to remote code execution risks.