CVE-2025-11201 — CRITICAL (CVSS 9.8) AI Security Vulnerability

Q: Is CVE-2025-11201 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-11201, increasing the risk of exploitation.

Q: How to fix CVE-2025-11201?

1. PATCH: Upgrade to MLflow 3.0.0 immediately (confirmed fixes in commits e7dc057 and 5f98ff9 in mlflow/mlflow repo). 2. ISOLATE: If immediate patching is blocked, firewall MLflow Tracking Server to restrict access to known internal CI/CD IPs only — block all external and lateral access. 3. LEAST PRIVILEGE: Audit MLflow service account permissions; revoke any cloud admin or broad S3/storage roles not strictly required. 4. DETECT: Search access logs for path traversal patterns in model creation API calls — look for '../', '%2e%2e', or unusual absolute paths. Set alerts on these patterns. 5. AUDIT FOR COMPROMISE: Inspect the MLflow host for unexpected files, new scheduled tasks, or anomalous outbound connections that may indicate prior exploitation. 6. ROTATE: As a precaution, rotate all credentials (cloud keys, DB passwords, API tokens) accessible from the MLflow host environment.

Q: What systems are affected by CVE-2025-11201?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model registry, MLOps infrastructure, experiment tracking platforms, CI/CD ML pipelines.

Q: What is the CVSS score for CVE-2025-11201?

CVE-2025-11201 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 9.84%.

CISO Take

Patch MLflow to 3.0.0 immediately — this is unauthenticated RCE over the network, zero skills required, and MLflow Tracking Servers are routinely exposed on internal data science networks or cloud environments. If you cannot patch now, firewall the instance to known CI/CD IPs only and treat any previously exposed deployment as compromised. Rotate all credentials accessible from the MLflow host.

Risk Assessment

CRITICAL. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) — network-reachable, no authentication, no user interaction, low complexity. MLflow Tracking Servers are commonly deployed with broad internal network access or exposed via cloud load balancers, often without dedicated security hardening. The service account running MLflow typically holds cloud storage credentials, database connection strings, and access to model artifacts. EPSS of ~9% signals active weaponization risk within 30 days of disclosure. Not yet in CISA KEV, but the exploitation profile matches historically rapid KEV additions.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →
mlflow	pip	>= 3.0.0rc0, < 3.0.0	`3.0.0`
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

9.8%

chance of exploitation in 30 days

Higher than 93% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

PATCH

Upgrade to MLflow 3.0.0 immediately (confirmed fixes in commits e7dc057 and 5f98ff9 in mlflow/mlflow repo).
ISOLATE

If immediate patching is blocked, firewall MLflow Tracking Server to restrict access to known internal CI/CD IPs only — block all external and lateral access.
LEAST PRIVILEGE

Audit MLflow service account permissions; revoke any cloud admin or broad S3/storage roles not strictly required.
DETECT

Search access logs for path traversal patterns in model creation API calls — look for '../', '%2e%2e', or unusual absolute paths. Set alerts on these patterns.
AUDIT FOR COMPROMISE

Inspect the MLflow host for unexpected files, new scheduled tasks, or anomalous outbound connections that may indicate prior exploitation.
ROTATE

As a precaution, rotate all credentials (cloud keys, DB passwords, API tokens) accessible from the MLflow host environment.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Framework AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.4 - AI system security A.8.2 - Incident management for AI systems

NIST AI RMF

GOVERN 6.1 - Policies for AI risk management MANAGE 2.2 - Mechanisms to maintain AI risk awareness

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-11201?

Patch MLflow to 3.0.0 immediately — this is unauthenticated RCE over the network, zero skills required, and MLflow Tracking Servers are routinely exposed on internal data science networks or cloud environments. If you cannot patch now, firewall the instance to known CI/CD IPs only and treat any previously exposed deployment as compromised. Rotate all credentials accessible from the MLflow host.

Is CVE-2025-11201 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-11201, increasing the risk of exploitation.

How to fix CVE-2025-11201?

1. PATCH: Upgrade to MLflow 3.0.0 immediately (confirmed fixes in commits e7dc057 and 5f98ff9 in mlflow/mlflow repo). 2. ISOLATE: If immediate patching is blocked, firewall MLflow Tracking Server to restrict access to known internal CI/CD IPs only — block all external and lateral access. 3. LEAST PRIVILEGE: Audit MLflow service account permissions; revoke any cloud admin or broad S3/storage roles not strictly required. 4. DETECT: Search access logs for path traversal patterns in model creation API calls — look for '../', '%2e%2e', or unusual absolute paths. Set alerts on these patterns. 5. AUDIT FOR COMPROMISE: Inspect the MLflow host for unexpected files, new scheduled tasks, or anomalous outbound connections that may indicate prior exploitation. 6. ROTATE: As a precaution, rotate all credentials (cloud keys, DB passwords, API tokens) accessible from the MLflow host environment.

What systems are affected by CVE-2025-11201?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model registry, MLOps infrastructure, experiment tracking platforms, CI/CD ML pipelines.

What is the CVSS score for CVE-2025-11201?

CVE-2025-11201 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 9.84%.

Technical Details

NVD Description

MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of model file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26921.

Exploitation Scenario

Attacker scans cloud environments for MLflow Tracking Servers on default ports (5000/5001) using Shodan or targeted AWS/GCP enumeration. Sends a crafted HTTP POST to the model file creation endpoint with a path traversal payload (e.g., '../../etc/cron.d/backdoor' or a writable path outside the intended directory) to drop an arbitrary file on the server filesystem. No credentials or prior access required. Payload writes a reverse shell cron job or web shell. Attacker gains code execution as the MLflow service account and immediately queries the cloud metadata endpoint for IAM credentials, then exfiltrates model weights, training data, and stored experiment artifacts. Full attack chain executable in under five minutes with a basic proof-of-concept script.