CVE Catalog

CVE-2025-15379

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

High risk
1.99%

78th percentile — higher than 78% of all known CVEs

Summary

A command injection vulnerability exists in MLflow's model serving container initialization code. The `_install_model_dependencies_to_env()` function directly interpolates dependencies from `python_env.yaml` into a shell command without sanitization, allowing arbitrary command execution.

Risk Assessment

An attacker can supply a malicious model artifact that, when deployed, enables remote arbitrary command execution, leading to full system compromise and potential data exfiltration.

Recommendation

Upgrade MLflow to version 3.8.2 or later immediately. Before upgrading, verify the provenance of all deployed models.

Original NVD description (English source)

A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS