CVE-2025-15379: Critical Vulnerability in LFProjects MLflow

CVE-2025-15379 is a critical command injection vulnerability found in LFProjects MLflow's model serving container initialization code. Specifically, the vulnerability exists in the function _install_model_dependencies_to_env(). When deploying a model with env_manager=LOCAL, MLflow reads dependency specifications from the model artifact's python_env.yaml file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The affected versions are 3.8.0, and it is fixed in version 3.8.2.

This vulnerability is assigned a CVSS score of 9.8, indicating its critical severity. The risk to organizations includes potential unauthorized command execution, leading to further system compromise or data loss. Given the wide usage of MLflow in machine learning operations, this vulnerability poses a significant threat. Organizations should prioritize patching immediately.

As of now, there are no known exploits or proof of concept available for this vulnerability. However, given its nature and the potential for exploitation, it is essential for organizations to remain vigilant. Regular monitoring and timely updates are crucial in mitigating risks associated with this vulnerability.

The publication date for this vulnerability is March 30, 2026, and it was last modified on April 28, 2026. Organizations should review their systems and ensure that they are running the patched version to mitigate any risks associated with CVE-2025-15379.

Vulnerability Details

The command injection vulnerability allows attackers to execute arbitrary commands on affected systems. The vulnerability is classified under CWE-77 (Command Injection).

The CVSS score of 9.8 signifies a critical severity level, with impacts on confidentiality, integrity, and availability rated as high. The attack vector is classified as network-based, with low complexity and no privileges required for exploitation.

The specific version affected is 3.8.0, with the fix available in version 3.8.2. Organizations should ensure that they upgrade to the latest version to protect against this vulnerability.

Technical Analysis

The root cause of CVE-2025-15379 is a failure to properly sanitize user input when reading dependency specifications from the model artifact's python_env.yaml file. The command interpolation directly into a shell command exposes the system to command injection attacks.

The attack vector is network-based, allowing remote attackers to exploit this vulnerability without physical access to the system. The attack complexity is classified as low, making it easier for attackers to exploit. No user interaction is required, which further increases the risk.

The confidentiality, integrity, and availability impacts are all rated as high, indicating that successful exploitation could lead to complete control over the affected systems, allowing attackers to manipulate data, execute unauthorized actions, and disrupt service availability.

Risk & Impact Analysis

Organizations using MLflow should be aware of the real-world risks associated with this vulnerability. The potential for arbitrary command execution means that attackers could deploy malicious models, compromising the integrity and availability of systems.

The blast radius of this vulnerability is significant, especially in environments where MLflow is integrated with other systems. An attacker could exploit this flaw to escalate privileges and gain access to sensitive data or disrupt operations.

Given the critical CVSS score of 9.8, organizations should assess their exposure and prioritize patching as part of their security risk management strategies.

Exploitation Status

Affected Versions

The vulnerability affects all versions of MLflow from 3.8.0 up to 3.8.1. Organizations should upgrade to version 3.8.2 or later to remediate this issue.

Mitigation & Remediation

To mitigate the risks associated with CVE-2025-15379, organizations should apply the following remediation measures:

1. Upgrade to MLflow version 3.8.2 or later as soon as possible.

2. If upgrading is not immediately feasible, consider restricting access to the MLflow service to trusted users and networks.

3. Monitor for unusual activity and configurations that may indicate exploitation attempts.

4. Review and harden configurations related to model deployments to minimize exposure.

For ongoing security assessment, organizations may consider engaging in penetration testing to identify and mitigate similar vulnerabilities.

Detection Guidance

Organizations should implement logging and monitoring strategies to detect potential exploitation attempts. Key indicators include:

1. Unusual shell command executions originating from MLflow deployments.

2. Changes to model artifact configurations that do not align with standard operational practices.

3. Alerts from intrusion detection systems when unexpected commands are executed.

AppSecure Threat Intelligence Insight

CVE-2025-15379 highlights the critical need for secure coding practices, particularly in systems handling user-generated or model-based inputs. The lack of input sanitization can lead to severe vulnerabilities that are easily exploitable.

This vulnerability serves as a reminder of the importance of reviewing and updating dependencies regularly. Organizations should develop a robust vulnerability management program to proactively identify and mitigate risks.

Organizations should also consider integrating AI security best practices to enhance their defenses against similar vulnerabilities in the future.

In conclusion, organizations utilizing MLflow must address CVE-2025-15379 with urgency to prevent potential exploitation. Regular updates and security assessments are essential components of an effective security strategy.

For further insights into penetration testing methodologies, organizations can refer to penetration testing methodology as a foundational resource.