Software Command Injection (CVE-2025-15379) - Patch Now

Overview

A critical command injection vulnerability, CVE-2025-15379, exists in the MLflow machine learning platform. This flaw is present in the model serving container initialization code, specifically within the _install_model_dependencies_to_env() function. When a model is deployed with the env_manager=LOCAL setting, MLflow unsafely processes dependency specifications from a model’s python_env.yaml file, allowing an attacker to inject and execute arbitrary shell commands on the target system.

Vulnerability Details

The vulnerability stems from improper input sanitization. When MLflow reads a model artifact’s python_env.yaml file to install Python dependencies, it directly interpolates the contents into a shell command without validation. An attacker can craft a malicious model artifact containing specially crafted dependency specifications. When this model is deployed by a victim, the malicious payload is executed as a system command on the server hosting the MLflow deployment. This flaw has a maximum CVSS score of 10.0, indicating it is remotely exploitable with no privileges or user interaction required.

Impact

Successful exploitation grants an attacker complete control over the affected MLflow server. They can execute any command, potentially leading to data theft, deployment of ransomware, installation of backdoors, or use of the server as a launch point for attacks on internal networks. Any organization using the vulnerable version to serve models from untrusted sources is at immediate risk. For context on the damage caused by such breaches, recent incidents are documented in our breach reports.

Remediation and Mitigation

The primary and mandatory action is to upgrade MLflow to version 3.8.2 or later, where this vulnerability has been patched.

Immediate Actions:

1. Patch: Update all MLflow installations to version 3.8.2 immediately.
2. Inventory: Identify all systems running MLflow version 3.8.0. Version 3.8.1 is not affected, as it did not exist; the fix jumps from 3.8.0 to 3.8.2.
3. Restrict Deployments: Until patched, strictly control and audit the source of all model artifacts being deployed. Avoid deploying models from unverified or external sources when using env_manager=LOCAL.

If immediate upgrading is impossible, consider disabling model serving with the env_manager=LOCAL configuration as a temporary workaround, though this may impact functionality.

Security Insight

This vulnerability highlights the persistent risk of “poisoned” AI/ML model artifacts, a growing threat vector as organizations increasingly consume pre-trained models from public repositories. It mirrors past incidents in other software where dependency management systems became attack surfaces. The flaw’s presence in a core deployment function suggests a need for more rigorous security review in MLflow’s CI/CD pipeline, especially for code that handles external, user-supplied data in a privileged context. Stay informed on evolving threats in the ML ecosystem through our security news.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs