Software Path Traversal (CVE-2025-15036) - Patch Now

Patch now - CVE-2025-15036 is a critical path traversal in MLflow prior to 3.7.0 that lets an attacker overwrite arbitrary files and escape sandboxes via a malicious tar.gz archive. Upgrade immediately to block privilege escalation and host compromise.

Overview

A critical security vulnerability, identified as CVE-2025-15036, has been discovered in the MLflow open-source platform. This flaw is a path traversal vulnerability that could allow an attacker to overwrite critical files on the system or escape intended security boundaries.

Vulnerability Details

The vulnerability exists in the extract_archive_to_dir function within MLflow’s code, specifically in the file mlflow/pyfunc/dbconnect_artifact_cache.py. In versions prior to 3.7.0, this function does not properly validate the paths of files contained within a tar.gz archive during extraction.

In simple terms, when MLflow processes a specially crafted tar.gz file, it fails to check if the file paths inside the archive are trying to navigate outside the intended destination folder. This allows a malicious file path like ../../../etc/passwd to be accepted, leading to the extraction of the file to a completely different, unauthorized location on the server’s filesystem.

Impact and Risk

The impact of this vulnerability is severe (CVSS score: 9.6). An attacker who can supply a malicious archive file to a vulnerable MLflow instance could:

• Overwrite arbitrary files, potentially disrupting system operations or corrupting critical data.
• Escape the sandbox directory in multi-tenant or shared cluster environments, accessing or modifying files belonging to other users or the system itself.
• Achieve elevated privileges by overwriting system or application files, which could lead to a full compromise of the host.

This type of flaw is a common vector for serious breaches. For context on how such vulnerabilities can be exploited in real-world attacks, you can review historical incidents in our breach reports.

Remediation and Mitigation

The primary and most effective action is to update the MLflow installation immediately.

1. Immediate Patching: Upgrade MLflow to version 3.7.0 or later. This version contains the necessary validation to prevent path traversal during archive extraction.
2. Workaround (If Patching is Delayed): If an immediate upgrade is not possible, restrict the processing of tar.gz archive files from untrusted sources within your MLflow workflows. This is a temporary measure and does not eliminate the risk.
3. General Security Hygiene: Always practice the principle of least privilege for service accounts running MLflow and maintain regular software updates. Staying informed on emerging threats is crucial; follow the latest developments in our security news section.

Organizations using MLflow, particularly in shared environments, should treat this as a high-priority update to prevent potential system compromise.