{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15036", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2025-12-23T01:57:43.568Z", "datePublished": "2026-03-30T01:16:06.400Z", "dateUpdated": "2026-03-31T03:55:39.134Z"}, "containers": {"cna": {"title": "Path Traversal Vulnerability in mlflow/mlflow", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-03-30T01:16:06.400Z"}, "descriptions": [{"lang": "en", "value": "A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments."}], "affected": [{"vendor": "mlflow", "product": "mlflow/mlflow", "versions": [{"version": "unspecified", "lessThan": "3.9.0", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/36c314cf-fd6e-4fb0-b9b0-1b47bcdf0eb0"}, {"url": "https://github.com/mlflow/mlflow/commit/3bf6d81ac4d38654c8ff012dbd0c3e9f17e7e346"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-29 Path Traversal: '\\..\\filename'", "cweId": "CWE-29"}]}], "source": {"advisory": "36c314cf-fd6e-4fb0-b9b0-1b47bcdf0eb0", "discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T00:00:00+00:00", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2025-15036"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T03:55:39.134Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15036", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-30T14:01:01.168966Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:01:09.340Z"}}], "cna": {"title": "Path Traversal Vulnerability in mlflow/mlflow", "source": {"advisory": "36c314cf-fd6e-4fb0-b9b0-1b47bcdf0eb0", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "CHANGED", "version": "3.0", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "mlflow", "product": "mlflow/mlflow", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "3.9.0", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/36c314cf-fd6e-4fb0-b9b0-1b47bcdf0eb0"}, {"url": "https://github.com/mlflow/mlflow/commit/3bf6d81ac4d38654c8ff012dbd0c3e9f17e7e346"}], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-29", "description": "CWE-29 Path Traversal: '\\..\\filename'"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-03-30T01:16:06.400Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15036", "state": "PUBLISHED", "dateUpdated": "2026-03-31T03:55:39.134Z", "dateReserved": "2025-12-23T01:57:43.568Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2026-03-30T01:16:06.400Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments."}], "id": "CVE-2025-15036", "lastModified": "2026-03-30T13:26:07.647", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "security@huntr.dev", "type": "Secondary"}]}, "published": "2026-03-30T02:16:14.413", "references": [{"source": "security@huntr.dev", "url": "https://github.com/mlflow/mlflow/commit/3bf6d81ac4d38654c8ff012dbd0c3e9f17e7e346"}, {"source": "security@huntr.dev", "url": "https://huntr.com/bounties/36c314cf-fd6e-4fb0-b9b0-1b47bcdf0eb0"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-29"}], "source": "security@huntr.dev", "type": "Primary"}]}

{"bugzilla": {"description": "mlflow: mlflow: Path traversal vulnerability allows arbitrary file overwrite and privilege escalation", "id": "2452925", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452925"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in mlflow. A path traversal vulnerability exists in the `extract_archive_to_dir` function, which is responsible for extracting archives. An attacker who can control the input tar.gz file can exploit this vulnerability due to insufficient validation of paths within the archive. This allows the attacker to overwrite arbitrary files, potentially leading to privilege escalation or escaping the intended sandbox environment in multi-tenant or shared cluster setups."], "name": "CVE-2025-15036", "package_state": [{"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-mlflow-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-training-cuda128-torch29-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-03-30T01:16:06Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-15036\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-15036\nhttps://github.com/mlflow/mlflow/commit/3bf6d81ac4d38654c8ff012dbd0c3e9f17e7e346\nhttps://huntr.com/bounties/36c314cf-fd6e-4fb0-b9b0-1b47bcdf0eb0"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.9.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "mlflow/mlflow", "source": "cna", "vendor": "mlflow"}, "product": "mlflow/mlflow", "vendor": "mlflow"}], "analysis": {"en": {"generated_at": "2026-03-31T05:27:03.912674+00:00", "value": {"mitigation_remediation": ["Upgrade mlflow to version 3.7.0 or later, which includes proper validation of tar member paths.", "If upgrading immediately is not feasible, restrict or sanitize any user\u2011supplied tar.gz archives to guarantee that extraction remains confined within the intended directory and verify that no forbidden paths are present.", "Review existing extracted artifacts and system files for signs of unauthorized modifications to ensure no compromise has already occurred."], "summary": {"action": "Immediate Patch", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the mlflow open\u2011source machine learning platform. All releases before version 3.7.0 are impacted; upgrades to 3.7.0 or later mitigate the issue.", "description_and_impact": "A path traversal flaw in mlflow\u2019s \u201cextract_archive_to_dir\u201d function lacks validation of tar archive member paths. An attacker who can supply a crafted tar.gz file can cause the function to write files outside the intended directory, allowing overwriting of arbitrary files or escape from a sandbox. This can lead to privilege escalation or arbitrary code execution, compromising confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score of 9.6 indicates critical severity, yet the EPSS score is below 1\u202f%, showing a low current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector would involve remotely uploading a malicious tar.gz file to a mlflow instance that performs automatic extraction. If such uploads are possible, an attacker could overwrite critical files or elevate privileges. The risk remains high given the potential impact, even though the probability of exploitation appears low at present."}}}}, "created": "2026-03-30T06:57:55.922805+00:00", "updated": "2026-03-31T20:00:19.310664+00:00", "vendors": ["mlflow", "mlflow$PRODUCT$mlflow/mlflow"]}