CVE-2025-15031

CriticalPublic PoC

Published: 18 March 2026

Published

18 March 2026

Modified

23 March 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0036 58.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of `tarfile.extractall` without path validation enables crafted tar.gz files containing `..` or absolute paths to escape the…

intended extraction directory. This issue affects the latest version of MLflow and poses a high/critical risk in scenarios involving multi-tenant environments or ingestion of untrusted artifacts, as it can lead to arbitrary file overwrites and potential remote code execution.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of tar archive entry paths to block path traversal and prevent arbitrary file writes outside the intended extraction directory.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of the specific software flaw in MLflow's pyfunc extraction process using tarfile.extractall.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on MLflow processes to restrict the locations and impact of arbitrary file overwrites in multi-tenant environments.

Security SummaryAI

CVE-2025-15031 is a vulnerability in MLflow's pyfunc extraction process that enables arbitrary file writes due to improper handling of tar archive entries. The issue arises from the use of `tarfile.extractall` without path validation, allowing crafted tar.gz files containing `..` or absolute paths to escape the intended extraction directory. This affects the latest version of MLflow.

The vulnerability has a CVSS score of 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating exploitation over the network with low complexity, no privileges or user interaction required. Remote attackers who can supply a malicious tar.gz file to the pyfunc extraction process can achieve arbitrary file overwrites, potentially leading to remote code execution. It poses a high/critical risk in multi-tenant environments or when ingesting untrusted artifacts.

Mitigation details are available in advisories such as the Huntr bounty report at https://huntr.com/bounties/09856f77-f968-446f-a930-657d126efe4e.

Given MLflow's role in machine learning workflows, this CWE-22 path traversal issue is particularly relevant to AI/ML deployments handling model artifacts.

Details

CWE(s): CWE-22

Affected Products

lfprojects

mlflow

≤ 3.10.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows remote attackers to supply crafted tar.gz files to a public-facing MLflow service, enabling arbitrary file writes via path traversal, directly mapping to exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://huntr.com/bounties/09856f77-f968-446f-a930-657d126efe4e
Exploit, Third Party Advisory, Mitigation · security@huntr.dev
https://huntr.com/bounties/09856f77-f968-446f-a930-657d126efe4e
Exploit, Third Party Advisory, Mitigation · 134c704f-9b21-4f2e-91b3-4a467353bcc0