cbcvebase.
CVE-2025-15379
published 2026-03-30

CVE-2025-15379: A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()`…

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.99%
78.2th percentile
A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2.

Affected

3 ranges
VendorProductVersion rangeFixed in
lfprojectsmlflow3.8.0 – 3.8.1
mlflowmlflow_mlflow>= 0 < 3.8.13.8.1
mlflowmlflow_mlflow>= unspecified < 3.8.23.8.2

Detection & IOCsextracted from sources · hover to see the quote

pathpython_env.yaml
  • Monitor invocations of `_install_model_dependencies_to_env()` in MLflow model serving code, particularly when `env_manager=LOCAL` is set, for shell metacharacters or unexpected commands injected via python_env.yaml dependency strings.
  • Flag MLflow model deployments using `env_manager=LOCAL` as a higher-risk configuration where command injection via crafted model artifacts is possible.
  • Inspect `python_env.yaml` files within model artifacts for shell injection payloads (e.g., semicolons, backticks, `$()`, pipes) in dependency specification fields before deployment.
  • ·The vulnerability is only exploitable when MLflow model serving is configured with `env_manager=LOCAL`; other env_manager modes do not trigger the vulnerable code path.
  • ·Affected version is 3.8.0; the fix is present in version 3.8.2. Deployments running 3.8.0 should be prioritized for upgrade.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.