CVE-2025-15379
MLflow Command Injection vulnerability
Description
A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.1.
How to fix CVE-2025-15379
To remediate CVE-2025-15379, upgrade the affected package to a fixed version below.
- —upgrade to 3.9.0 or later
- —upgrade to 3.8.1 or later
Is CVE-2025-15379 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 3.8.0, < 3.9.0
- from 0, < 3.8.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL10.0 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |