Filtered by vendor Mlflow
Subscriptions
Filtered by product Mlflow/mlflow
Subscriptions
Total
1 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-15031 | 2 Lfprojects, Mlflow | 2 Mlflow, Mlflow/mlflow | 2026-03-23 | 9.1 Critical |
| A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of `tarfile.extractall` without path validation enables crafted tar.gz files containing `..` or absolute paths to escape the intended extraction directory. This issue affects the latest version of MLflow and poses a high/critical risk in scenarios involving multi-tenant environments or ingestion of untrusted artifacts, as it can lead to arbitrary file overwrites and potential remote code execution. | ||||
Page 1 of 1.