External risk intelligence

MLflow Arbitrary File Write via Tar Archive Extraction

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2025-15031

MLflow is typically used in data science environments, often running on internal servers or private clusters. While these services can be exposed to the internet or reachable in multi-tenant environments where untrusted artifacts are ingested, they are not inherently public-facing gateways or edge services by default design.

Path Traversal

Lfprojects Mlflow

3.10.1 and earlier

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in MLflow's file extraction process could allow attackers to write arbitrary files to your systems by sending specially crafted archive files. This risk is heightened in environments where MLflow handles files from multiple sources or tenants, potentially leading to unauthorized access or control.

  • Uncontrolled file writing in MLflow.
  • Impacts systems handling untrusted MLflow archives.
  • Confirm exposure; evaluate impact on MLflow usage.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by uploading a specially crafted archive file. When MLflow processes this archive to extract model components, the flawed handling of file paths within the archive allows the attacker's code to write files to arbitrary locations on the server. This could overwrite critical system files or application components, potentially leading to the attacker gaining control of the server.

  • Unauthenticated access to MLflow artifact ingestion.
  • Uploading a malicious tar.gz archive.
  • Arbitrary file overwrite and potential code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to write arbitrary files to the system by providing a specially crafted archive. This could occur when MLflow processes untrusted tar.gz files containing directory traversal or absolute path elements, potentially impacting system integrity or allowing for further compromise.

  • System files could be overwritten.
  • Malicious archives could be extracted.
  • Arbitrary file writes may occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in MLflow's pyfunc extraction process requires immediate attention, particularly in multi-tenant or untrusted artifact ingestion scenarios. Platform or data science teams are likely responsible for MLflow deployments. The first practical step is to identify all MLflow instances, assess their exposure and criticality, and then confirm ownership to plan risk-based remediation.

  • Confirm MLflow instances and exposure.
  • Identify accountable application/platform owners.
  • Plan remediation based on risk assessment.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is MLflow and how is it used?

MLflow is an open-source platform managed by LF Projects, widely used by data scientists to manage the machine learning lifecycle. It helps track experiments, package code into reproducible runs, and deploy models. In many organizations, it serves as a central hub for storing model artifacts and metadata, making it a critical component for teams coordinating shared model development and deployment workflows.

What does CWE-22 mean for CVE-2025-15031?

CWE-22 is the weakness class for Path Traversal. In this CVE, it means the software fails to properly sanitize filenames when extracting tar archives. Because the code does not validate paths before writing them, a malicious archive can include instructions to save files outside of the intended directory—such as using '..' sequences—effectively allowing an attacker to write files anywhere the MLflow process has permission to reach.

How does an attacker trigger this vulnerability?

An attacker triggers this by providing a specially crafted tar.gz archive to the MLflow pyfunc extraction process. The process must ingest or process this malicious file for the vulnerability to occur. Simply having the software installed is not enough; the bug relies on the system automatically unpacking an untrusted or manipulated archive containing path traversal characters.

Is my MLflow deployment at risk?

According to Halo Surface Signal, MLflow is often used in private clusters or internal data science environments. While not typically a public-facing edge service, your risk increases significantly if your setup ingests artifacts from untrusted users or operates in a multi-tenant environment. If your MLflow instance is reachable from broader networks or handles third-party model uploads, it should be considered a higher priority.

What should I do if I run MLflow?

Start by identifying all instances of MLflow within your infrastructure to understand your potential surface area. Determine if any of these instances are configured to process external or untrusted model archives. Once identified, locate the application owners for those specific deployments so you can coordinate a risk assessment and plan for necessary updates or configuration changes to secure your artifact ingestion process.

References