CVE-2025-15036 - Vulnerability Details

Description

A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments.

Published: 2026-03-30

Score: 9.6 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A path traversal flaw resides in the extract_archive_to_dir function within mlflow's artifact cache module. Because tar member paths are not validated, a maliciously crafted tar.gz file can cause the service to write files outside its intended directory. This enables an attacker to overwrite critical configuration files or inject code, effectively creating a privilege escalation or remote code execution vector on shared clusters.

Affected Systems

mlflow, the open‑source machine‑learning platform, is affected in all releases prior to v3.7.0. Users running older mlflow versions on multi‑tenant or shared clusters are at risk.

Risk and Exploitability

The CVSS score of 9.6 indicates a very high severity vulnerability, and the KEV database does not list it, which does not reduce the threat. No EPSS score is available, but the exploit path is straightforward: an attacker who can provide a malicious tar.gz file to mlflow must craft a parent‑directory reference that allows the service to escape the sandbox. Based on the description, it is inferred that the attack vector requires the attacker to supply such a file, so environments that accept untrusted archives face a high likelihood of exploitation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

mlflow

mlflow/mlflow

affected

Version	Status	Constraints
`unspecified`	affected	< 3.9.0

No data.

Vendor Product Confidence Versions

Mlflow

Mlflow/mlflow

100%

Version	Status	Scheme	Platform
`[0,3.9.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor patch by upgrading mlflow to version 3.7.0 or later.
Verify that the upgrade has been deployed in all environments, especially multi‑tenant clusters.
If an immediate upgrade is not feasible, configure the artifact cache to reject tar files containing parent‑directory references or enforce strict extraction directories to prevent sandbox escape.
Monitor logs for unauthorized file writes or directory changes that may indicate an attack attempt.

Generated by OpenCVE AI on March 30, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0005.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/mlflow/mlflow/commit/3bf6d81ac4d38654c8ff012dbd0c3e9f17e7e346
https://huntr.com/bounties/36c314cf-fd6e-4fb0-b9b0-1b47bcdf0eb0

History

Mon, 30 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 30 Mar 2026 07:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mlflow Mlflow mlflow/mlflow
Vendors & Products		Mlflow Mlflow mlflow/mlflow

Mon, 30 Mar 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments.
Title		Path Traversal Vulnerability in mlflow/mlflow
Weaknesses		CWE-29
References		https://github.com/mlflow/mlflow/commit/3bf6d81ac4d38654c8ff012dbd0c3e9f17e7e346 https://huntr.com/bounties/36c314cf-fd6e-4fb0-b9b0-1b47bcdf0eb0
Metrics		cvssV3_0 `{'score': 9.6, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}`

Subscriptions

Mlflow Mlflow/mlflow

MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2026-03-30T01:16:06.400Z

Updated: 2026-03-30T14:01:12.722Z

Reserved: 2025-12-23T01:57:43.568Z

Link: CVE-2025-15036

Vulnrichment

Updated: 2026-03-30T14:01:09.340Z

NVD

Status : Awaiting Analysis

Published: 2026-03-30T02:16:14.413

Modified: 2026-03-30T13:26:07.647

Link: CVE-2025-15036

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-30T07:03:45Z

Weaknesses

CWE-29

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object