External risk intelligence

MLflow Command Injection Vulnerability in Model Serving

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-15379

MLflow is commonly deployed as a model serving service or API endpoint. While the vulnerability requires a malicious model artifact to be processed, the nature of MLflow involves accepting and deploying artifacts in production environments, making the underlying model serving infrastructure a frequent target for network-accessible services.

OS Command Injection

Lfprojects Mlflow

3.8.0 to 3.8.1

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A command injection vulnerability has been identified in MLflow, a platform for managing the machine learning lifecycle. This issue could allow attackers to execute arbitrary commands on systems deploying models through MLflow by submitting a specially crafted model artifact.

  • Malicious code can run if models are deployed.
  • Affects systems serving MLflow models.
  • Confirm if MLflow model serving is in use.

Attack Path

How an attacker could exploit the issue

An attacker can achieve arbitrary command execution by providing a specially crafted model artifact to an MLflow deployment. When MLflow initializes a model's environment using the `LOCAL` setting, it processes a `python_env.yaml` file from the artifact. This file's contents are directly inserted into a system command without proper checking, allowing an attacker to inject their own commands.

  • Requires uploading a malicious model.
  • Triggered during model dependency installation.
  • Risk of arbitrary command execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to execute arbitrary commands on systems that deploy MLflow models using local environment management. When a model is deployed, MLflow reads its dependency specifications from a `python_env.yaml` file and inserts them directly into a shell command without proper validation. This means a specially crafted model artifact could lead to unauthorized command execution on the host system where the model is being served.

  • System commands on model serving hosts.
  • Malicious model artifact injection.
  • Arbitrary command execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in MLflow's model serving initialization requires identifying where MLflow is deployed, confirming its reachability and criticality, and locating the accountable owner before planning remediation. Given the command injection flaw, security or platform teams typically manage MLflow deployments, while application owners are responsible for the models served. The first practical step involves asset discovery and exposure assessment, followed by vendor coordination if necessary.

  • Own by MLflow deployment and model owners.
  • Verify MLflow deployment reachability and criticality.
  • Plan remediation or implement mitigating controls.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is MLflow?

MLflow is an open-source platform managed by LF Projects designed to handle the machine learning lifecycle. Teams use it to track experiments, package machine learning code into reproducible formats, and serve models as APIs or services in production environments.

What does CVE-2025-15379 mean for system security?

This CVE represents a command injection vulnerability (CWE-77/CWE-78). In plain English, the software fails to properly clean instructions within a configuration file. Because the system treats this data as a command to be executed rather than simple text, a specially prepared file allows an attacker to run unauthorized commands on the server.

How is this command injection vulnerability triggered?

The flaw occurs specifically when MLflow initializes a model's environment with the LOCAL setting. The system reads dependency requirements from a file named python_env.yaml and runs them. It is not triggered if this specific configuration management setting is disabled or if the system is not actively deploying models using that method.

Why should I care about this if my MLflow service is internal?

Halo Surface Signal indicates this is a high-priority concern because MLflow is typically architected as a model-serving service or network-accessible API endpoint. Even if internal, any process that allows the automated ingestion and deployment of model artifacts could be manipulated to trigger the command injection if an attacker can introduce a malicious artifact.

How do I respond to this vulnerability?

Your first step is to audit your infrastructure to identify all active MLflow instances and verify their current version. If you are running version 3.8.0 or 3.8.1, you should coordinate with your platform team to prioritize an update to version 3.8.2, which contains the necessary fix for the dependency installation process.

References