{ "threat_severity" : "Important", "public_date" : "2026-03-30T07:16:57Z", "bugzilla" : { "description" : "mlflow: MLflow: Arbitrary command execution via command injection in model serving container initialization.", "id" : "2452949", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2452949" }, "cvss3" : { "cvss3_base_score" : "9.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "status" : "draft" }, "cwe" : "CWE-78", "details" : [ "A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2.", "A flaw was found in MLflow. When deploying a model with `env_manager=LOCAL`, MLflow's model serving container initialization code, specifically the `_install_model_dependencies_to_env()` function, reads dependency specifications from the model artifact's `python_env.yaml` file. An attacker can supply a malicious model artifact, leading to command injection as these specifications are directly interpolated into a shell command without proper sanitization. This allows for arbitrary command execution on systems deploying the malicious model." ], "statement" : "This vulnerability in MLflow allows for arbitrary command execution when deploying a model with `env_manager=LOCAL`. An attacker can supply a malicious model artifact containing a crafted `python_env.yaml` file, leading to command injection during container initialization. During the deployment of the model MLflow passes the maliciously crafted requirement string to the shell command without properly sanitization of possible command injections, as consequence the attacker may be able to execute arbitrary code at the same permission level as the user running the MLflow process.\nRed Hat Product Security team has rated this vulnerability as having the impact of Important. Although it allows arbitrary code to successfully exploit this flaw the attacker depends on MLFlow having a non-default deployment option (env_manager=LOCAL), besides requiring enough privileges and access to deploy the malicious model or trick the user to download and deploy the malicious model.", "package_state" : [ { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-mlflow-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-training-cuda128-torch29-py312-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-15379\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-15379\nhttps://github.com/mlflow/mlflow/commit/361b6f620adf98385c6721e384fb5ef9a30bb05e\nhttps://huntr.com/bounties/dc9c1c20-7879-4050-87df-4d095fe5ca75" ], "name" : "CVE-2025-15379", "mitigation" : { "value" : "To mitigate this issue, avoid deploying MLflow models with `env_manager=LOCAL`. If using `env_manager=LOCAL` is unavoidable, ensure that all model artifacts, particularly their `python_env.yaml` files, originate from trusted sources and are thoroughly vetted for malicious content. This operational control helps prevent the injection of arbitrary commands during model serving container initialization.", "lang" : "en:us" }, "csaw" : false }