Description
A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of `tarfile.extractall` without path validation enables crafted tar.gz files containing `..` or absolute paths to escape the intended extraction directory. This issue affects the latest version of MLflow and poses a high/critical risk in scenarios involving multi-tenant environments or ingestion of untrusted artifacts, as it can lead to arbitrary file overwrites and potential remote code execution.
Published: 2026-03-18
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file overwrite that can lead to remote code execution
Action: Immediate Patch
AI Analysis

Impact

The flaw is in MLflow’s pyfunc extraction routine when handling tar.gz files. A malicious archive can contain path traversal sequences or absolute paths. Because tarfile.extractall is called without validating entry paths, files are written outside the intended extraction directory. An attacker could overwrite critical configuration files or inject executable code, which may result in remote code execution on the MLflow server.

Affected Systems

The vulnerability affects the MLflow platform supplied by the vendor mlflow, specifically the product mlflow/mlflow. It is present in the current latest release of MLflow; no older versions are specified, so users should confirm the version they run against vendor guidance.

Risk and Exploitability

The CVSS score of 9.1 indicates a critical severity. The EPSS score is below 1%, suggesting a low but non‑negligible likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires providing a crafted tar.gz file to the MLflow pyfunc extraction endpoint, which is common in multi‑tenant or untrusted artifact ingestion scenarios. Successful exploitation would allow arbitrary file overwrite and could lead to remote code execution.

Generated by OpenCVE AI on March 23, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MLflow patch or upgrade to a version where the pyfunc extraction uses validated paths.
  • If a patch is not yet available, restrict ingestion of tar.gz artifacts to trusted sources and validate archive contents before extraction.
  • Consider disabling the pyfunc extraction feature or preventing untrusted archive uploads until the vulnerability is fixed.

Generated by OpenCVE AI on March 23, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fhff-qmm8-h2fp Arbitrary file write via tar traversal in mlflow
History

Mon, 23 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Lfprojects
Lfprojects mlflow
CPEs cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
Vendors & Products Lfprojects
Lfprojects mlflow
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Thu, 19 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

threat_severity

Important

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Mlflow
Mlflow mlflow/mlflow
Vendors & Products Mlflow
Mlflow mlflow/mlflow

Wed, 18 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
Description A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of `tarfile.extractall` without path validation enables crafted tar.gz files containing `..` or absolute paths to escape the intended extraction directory. This issue affects the latest version of MLflow and poses a high/critical risk in scenarios involving multi-tenant environments or ingestion of untrusted artifacts, as it can lead to arbitrary file overwrites and potential remote code execution.
Title Path Traversal Vulnerability in mlflow/mlflow
Weaknesses CWE-22
References
Metrics cvssV3_0

{'score': 8.1, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Lfprojects Mlflow
Mlflow Mlflow/mlflow
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-03-19T13:52:40.477Z

Reserved: 2025-12-22T14:49:46.957Z

Link: CVE-2025-15031

cve-icon Vulnrichment

Updated: 2026-03-19T13:52:35.965Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T23:17:28.693

Modified: 2026-03-23T17:48:45.340

Link: CVE-2025-15031

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-18T22:06:47Z

Links: CVE-2025-15031 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:51:54Z

Weaknesses