Arbitrary file write via tar traversal in mlflow

GHSA-fhff-qmm8-h2fp · BIT-mlflow-2025-15031 · CVE-2025-15031

Published Mar 19, 2026 · Modified Mar 24, 2026

Description

A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of tarfile.extractall without path validation enables crafted tar.gz files containing .. or absolute paths to escape the intended extraction directory. This issue affects the latest version of MLflow and poses a high/critical risk in scenarios involving multi-tenant environments or ingestion of untrusted artifacts, as it can lead to arbitrary file overwrites and potential remote code execution.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-15031
WEB https://github.com/mlflow/mlflow/commit/3bf6d81ac4d38654c8ff012dbd0c3e9f17e7e346
PACKAGE https://github.com/mlflow/mlflow
WEB https://github.com/mlflow/mlflow/blob/fe4d9be330426904283401f1d2ed914238b6fc37/mlflow/pyfunc/dbconnect_artifact_cache.py#L140
WEB https://huntr.com/bounties/09856f77-f968-446f-a930-657d126efe4e

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes