{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15379", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2025-12-30T21:24:21.058Z", "datePublished": "2026-03-30T07:16:57.610Z", "dateUpdated": "2026-03-31T13:50:57.378Z"}, "containers": {"cna": {"title": "Command Injection in mlflow/mlflow", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-03-30T07:16:57.610Z"}, "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2."}], "affected": [{"vendor": "mlflow", "product": "mlflow/mlflow", "versions": [{"version": "unspecified", "lessThan": "3.8.2", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/dc9c1c20-7879-4050-87df-4d095fe5ca75"}, {"url": "https://github.com/mlflow/mlflow/commit/361b6f620adf98385c6721e384fb5ef9a30bb05e"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')", "cweId": "CWE-77"}]}], "source": {"advisory": "dc9c1c20-7879-4050-87df-4d095fe5ca75", "discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T03:55:37.623494Z", "id": "CVE-2025-15379", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T13:50:57.378Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15379", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-31T03:55:37.623494Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T13:34:44.912Z"}}], "cna": {"title": "Command Injection in mlflow/mlflow", "source": {"advisory": "dc9c1c20-7879-4050-87df-4d095fe5ca75", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "CHANGED", "version": "3.0", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "mlflow", "product": "mlflow/mlflow", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "3.8.2", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/dc9c1c20-7879-4050-87df-4d095fe5ca75"}, {"url": "https://github.com/mlflow/mlflow/commit/361b6f620adf98385c6721e384fb5ef9a30bb05e"}], "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-03-30T07:16:57.610Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15379", "state": "PUBLISHED", "dateUpdated": "2026-03-30T13:34:48.736Z", "dateReserved": "2025-12-30T21:24:21.058Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2026-03-30T07:16:57.610Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2."}], "id": "CVE-2025-15379", "lastModified": "2026-03-30T13:26:07.647", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "security@huntr.dev", "type": "Secondary"}]}, "published": "2026-03-30T08:16:15.667", "references": [{"source": "security@huntr.dev", "url": "https://github.com/mlflow/mlflow/commit/361b6f620adf98385c6721e384fb5ef9a30bb05e"}, {"source": "security@huntr.dev", "url": "https://huntr.com/bounties/dc9c1c20-7879-4050-87df-4d095fe5ca75"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "security@huntr.dev", "type": "Primary"}]}

{"bugzilla": {"description": "mlflow: MLflow: Arbitrary command execution via command injection in model serving container initialization.", "id": "2452949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452949"}, "csaw": false, "cvss3": {"cvss3_base_score": "10.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-78", "details": ["A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2.", "A flaw was found in MLflow. When deploying a model with `env_manager=LOCAL`, MLflow's model serving container initialization code, specifically the `_install_model_dependencies_to_env()` function, reads dependency specifications from the model artifact's `python_env.yaml` file. An attacker can supply a malicious model artifact, leading to command injection as these specifications are directly interpolated into a shell command without proper sanitization. This allows for arbitrary command execution on systems deploying the malicious model."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, avoid deploying MLflow models with `env_manager=LOCAL`. If using `env_manager=LOCAL` is unavoidable, ensure that all model artifacts, particularly their `python_env.yaml` files, originate from trusted sources and are thoroughly vetted for malicious content. This operational control helps prevent the injection of arbitrary commands during model serving container initialization."}, "name": "CVE-2025-15379", "package_state": [{"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-mlflow-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-training-cuda128-torch29-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-03-30T07:16:57Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-15379\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-15379\nhttps://github.com/mlflow/mlflow/commit/361b6f620adf98385c6721e384fb5ef9a30bb05e\nhttps://huntr.com/bounties/dc9c1c20-7879-4050-87df-4d095fe5ca75"], "statement": "This vulnerability in MLflow allows for arbitrary command execution when deploying a model with `env_manager=LOCAL`. An attacker can supply a malicious model artifact containing a crafted `python_env.yaml` file, leading to command injection during container initialization. During the deployment of the model MLflow passes the maliciously crafted requirement string to the shell command without properly sanitization of possible command injections, as consequence the attacker may be able to execute arbitrary code at the same permission level as the user running the MLflow process.", "threat_severity": "Critical"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.8.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "mlflow/mlflow", "source": "cna", "vendor": "mlflow"}, "product": "mlflow", "vendor": "mlflow"}], "analysis": {"en": {"generated_at": "2026-03-30T08:20:35.400285+00:00", "value": {"mitigation_remediation": ["Upgrade MLflow to version 3.8.2 or later.", "If a patch cannot be applied immediately, restrict model artifact sources to trusted registries and validate python_env.yaml files for unexpected commands before deployment."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Command Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects the mlflow/mlflow product, specifically version 3.8.0. The fix is implemented in 3.8.2 and later releases. All installations that use the LOCAL environment manager and deploy models based on python_env.yaml files are at risk.", "description_and_impact": "MLflow's model serving container initialization includes a critical command injection flaw in the _install_model_dependencies_to_env() function. When a model is deployed with env_manager=LOCAL, MLflow reads dependency specifications from the model artifact's python_env.yaml file and directly inserts them into a shell command without any sanitization. This omission allows an attacker who can supply a malicious model artifact to execute arbitrary commands on the deployment host, compromising confidentiality, integrity, and availability. The vulnerability is classified as a high\u2011impact remote code execution issue.", "risk_and_exploitability": "The CVSS score for this vulnerability is 10, indicating a critical severity. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog. Based on the description, the most likely attack vector is remote: an adversary could introduce a compromised model artifact into the deployment pipeline or model registry, thereby triggering the vulnerable code path. Successful exploitation would allow execution of any command with the privileges of the MLflow service process. The absence of an EPSS score and KEV listing does not diminish the critical nature implied by the CVSS rating."}}}}, "created": "2026-03-30T20:56:05.461945+00:00", "updated": "2026-03-31T20:41:12.960424+00:00", "vendors": ["mlflow", "mlflow$PRODUCT$mlflow"]}