CVE-2025-10279: MLflow security flaw enables

CISO Take

MLflow's insecure /tmp directory permissions (0o777) during venv creation expose training pipelines to local code execution via race condition. Any shared compute environment — Jupyter hubs, multi-tenant GPU clusters, or containerized ML platforms without proper namespace isolation — is at risk. Patch to MLflow 3.4.0 immediately; if you can't patch today, restrict /tmp access with sticky bits and audit shared MLflow deployments.

What is the risk?

Real-world risk is moderate despite the High CVSS score. Exploitation requires local access and successful race condition timing (high complexity), limiting remote attack surface. However, shared ML infrastructure is the norm in enterprise AI — data scientists on Jupyter Hub, shared Slurm/Kubernetes GPU nodes, and CI/CD ML pipelines all create multi-tenant /tmp environments where this becomes practically exploitable. EPSS of 0.00007 confirms no current active exploitation, but the attack primitive is well-understood and tooling for race condition exploits is widely available.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
MLflow	pip	< 3.4.0rc0	`3.4.0rc0`
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1

7.0 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 12% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC High

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

PATCH

Upgrade MLflow to >= 3.4.0 — the fix applies secure permissions to temp directories during venv creation.
WORKAROUND (if immediate patch is not possible): Set sticky bit on /tmp (chmod +t /tmp) to prevent non-owners from deleting/overwriting others' files; use private temp directories via TMPDIR env var pointing to user-owned paths.
ISOLATE

Run MLflow training jobs in dedicated containers or VMs with non-shared /tmp filesystems — this eliminates the attack surface entirely.
DETECT

Monitor for unexpected writes to /tmp/*/.venv/ or /tmp/*/lib/python*/site-packages/ by processes other than mlflow; alert on mlflow process loading .py files from /tmp after a write by a different UID.
AUDIT

Inventory all MLflow deployments, especially shared Jupyter/Slurm environments with multiple user accounts.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Training Data AML.T0010.001 - AI Software AML.T0018.002 - Embed Malware AML.T0037 - Data from Local System AML.T0050 - Command and Scripting Interpreter

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article-15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2 - AI System Security A.6.2.6 - Secure AI system development and deployment A.8.3 - AI system operation and monitoring A.9.7 - Protection of AI System Assets

NIST AI RMF

GOVERN 6.1 - Policies and procedures are in place for AI risk management GOVERN-6.1 - AI Risk Management Inventory and Policies MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems are evaluated and in place MANAGE-2.2 - Mechanisms for Identifying and Addressing AI Risks

OWASP LLM Top 10

LLM03 - Training Data Poisoning

Frequently Asked Questions

What is CVE-2025-10279?

MLflow's insecure /tmp directory permissions (0o777) during venv creation expose training pipelines to local code execution via race condition. Any shared compute environment — Jupyter hubs, multi-tenant GPU clusters, or containerized ML platforms without proper namespace isolation — is at risk. Patch to MLflow 3.4.0 immediately; if you can't patch today, restrict /tmp access with sticky bits and audit shared MLflow deployments.

Is CVE-2025-10279 actively exploited?

No confirmed active exploitation of CVE-2025-10279 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-10279?

1. PATCH: Upgrade MLflow to >= 3.4.0 — the fix applies secure permissions to temp directories during venv creation. 2. WORKAROUND (if immediate patch is not possible): Set sticky bit on /tmp (chmod +t /tmp) to prevent non-owners from deleting/overwriting others' files; use private temp directories via TMPDIR env var pointing to user-owned paths. 3. ISOLATE: Run MLflow training jobs in dedicated containers or VMs with non-shared /tmp filesystems — this eliminates the attack surface entirely. 4. DETECT: Monitor for unexpected writes to /tmp/*/.venv/ or /tmp/*/lib/python*/site-packages/ by processes other than mlflow; alert on mlflow process loading .py files from /tmp after a write by a different UID. 5. AUDIT: Inventory all MLflow deployments, especially shared Jupyter/Slurm environments with multiple user accounts.

What systems are affected by CVE-2025-10279?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, ML experiment tracking, model registry, MLOps platforms, shared compute clusters.

What is the CVSS score for CVE-2025-10279?

CVE-2025-10279 has a CVSS v3.1 base score of 7.0 (HIGH). The EPSS exploitation probability is 0.21%.

What is the AI security impact?

Affected AI Architectures

training pipelinesML experiment trackingmodel registryMLOps platformsshared compute clusters

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0018.002 Embed Malware

AML.T0037 Data from Local System

AML.T0050 Command and Scripting Interpreter

Compliance Controls Affected

EU AI Act: Article 15, Article-15

ISO 42001: A.6.2, A.6.2.6, A.8.3, A.9.7

NIST AI RMF: GOVERN 6.1, GOVERN-6.1, MANAGE 2.2, MANAGE-2.2

OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions (0o777). This vulnerability allows an attacker with write access to the `/tmp` directory to exploit a race condition and overwrite `.py` files in the virtual environment, leading to arbitrary code execution. The issue is resolved in version 3.4.0.

Exploitation Scenario

On a shared GPU cluster where 20 data scientists run MLflow experiments, an adversary with a low-privilege shell account monitors inotify events on /tmp watching for MLflow venv directory creation. When MLflow creates /tmp/mlflow-venv-XXXX/ with 0o777 permissions, the attacker has a brief window to overwrite a commonly imported .py file (e.g., site.py, importlib bootstrap) with a malicious payload before MLflow's Python interpreter executes it. The injected code runs in the MLflow process context, harvesting AWS/GCP credentials from environment variables, exfiltrating model artifacts from the registry, and optionally modifying model weights before they're logged — a silent supply chain attack on the ML pipeline that produces poisoned models deployed to production.

Weaknesses (CWE)

CWE-379 Creation of Temporary File in Directory with Insecure Permissions Primary CWE-379 Creation of Temporary File in Directory with Insecure Permissions Primary

CWE-379 — Creation of Temporary File in Directory with Insecure Permissions: The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.

[Requirements] Many contemporary languages have functions which properly handle this condition. Older C temp file functions are especially susceptible.
[Implementation] Try to store sensitive tempfiles in a directory which is not world readable -- i.e., per-user directories.

Source: MITRE CWE corpus.