CVE-2025-15036
Path Traversal Vulnerability in mlflow/mlflow
CVSS Score
9.6
EPSS Score
0.1%
EPSS Percentile
15th
A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments.
| CWE | CWE-29 |
| Vendor | mlflow |
| Product | mlflow/mlflow |
| Published | Mar 30, 2026 |
| Last Updated | Mar 31, 2026 |
Stay Ahead of the Next One
Get instant alerts for mlflow mlflow/mlflow
Be the first to know when new critical vulnerabilities affecting mlflow mlflow/mlflow are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Affected Versions
mlflow / mlflow/mlflow
unspecified < 3.9.0