CVE-2025-11201: MLflow Path Traversal enables

Q: Is CVE-2025-11201 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-11201, increasing the risk of exploitation.

Q: How to fix CVE-2025-11201?

1. PATCH: Upgrade to MLflow 3.0.0 immediately (confirmed fixes in commits e7dc057 and 5f98ff9 in mlflow/mlflow repo). 2. ISOLATE: If immediate patching is blocked, firewall MLflow Tracking Server to restrict access to known internal CI/CD IPs only — block all external and lateral access. 3. LEAST PRIVILEGE: Audit MLflow service account permissions; revoke any cloud admin or broad S3/storage roles not strictly required. 4. DETECT: Search access logs for path traversal patterns in model creation API calls — look for '../', '%2e%2e', or unusual absolute paths. Set alerts on these patterns. 5. AUDIT FOR COMPROMISE: Inspect the MLflow host for unexpected files, new scheduled tasks, or anomalous outbound connections that may indicate prior exploitation. 6. ROTATE: As a precaution, rotate all credentials (cloud keys, DB passwords, API tokens) accessible from the MLflow host environment.

Q: What systems are affected by CVE-2025-11201?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model registry, MLOps infrastructure, experiment tracking platforms, CI/CD ML pipelines.

Q: What is the CVSS score for CVE-2025-11201?

CVE-2025-11201 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 25.04%.

CISO Take

Patch MLflow to 3.0.0 immediately — this is unauthenticated RCE over the network, zero skills required, and MLflow Tracking Servers are routinely exposed on internal data science networks or cloud environments. If you cannot patch now, firewall the instance to known CI/CD IPs only and treat any previously exposed deployment as compromised. Rotate all credentials accessible from the MLflow host.

What is the risk?

CRITICAL. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) — network-reachable, no authentication, no user interaction, low complexity. MLflow Tracking Servers are commonly deployed with broad internal network access or exposed via cloud load balancers, often without dedicated security hardening. The service account running MLflow typically holds cloud storage credentials, database connection strings, and access to model artifacts. EPSS of ~9% signals active weaponization risk within 30 days of disclosure. Not yet in CISA KEV, but the exploitation profile matches historically rapid KEV additions.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
MLflow	pip	—	No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →
MLflow	pip	>= 3.0.0rc0, < 3.0.0	`3.0.0`
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

25.0%

chance of exploitation in 30 days

Higher than 98% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

○ EPSS exploit prediction: 25%

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

PATCH

Upgrade to MLflow 3.0.0 immediately (confirmed fixes in commits e7dc057 and 5f98ff9 in mlflow/mlflow repo).
ISOLATE

If immediate patching is blocked, firewall MLflow Tracking Server to restrict access to known internal CI/CD IPs only — block all external and lateral access.
LEAST PRIVILEGE

Audit MLflow service account permissions; revoke any cloud admin or broad S3/storage roles not strictly required.
DETECT

Search access logs for path traversal patterns in model creation API calls — look for '../', '%2e%2e', or unusual absolute paths. Set alerts on these patterns.
AUDIT FOR COMPROMISE

Inspect the MLflow host for unexpected files, new scheduled tasks, or anomalous outbound connections that may indicate prior exploitation.
ROTATE

As a precaution, rotate all credentials (cloud keys, DB passwords, API tokens) accessible from the MLflow host environment.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Framework AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0072 - Reverse Shell

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.4 - AI system security A.8.2 - Incident management for AI systems

NIST AI RMF

GOVERN 6.1 - Policies for AI risk management MANAGE 2.2 - Mechanisms to maintain AI risk awareness

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-11201?

Patch MLflow to 3.0.0 immediately — this is unauthenticated RCE over the network, zero skills required, and MLflow Tracking Servers are routinely exposed on internal data science networks or cloud environments. If you cannot patch now, firewall the instance to known CI/CD IPs only and treat any previously exposed deployment as compromised. Rotate all credentials accessible from the MLflow host.

Is CVE-2025-11201 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-11201, increasing the risk of exploitation.

How to fix CVE-2025-11201?

1. PATCH: Upgrade to MLflow 3.0.0 immediately (confirmed fixes in commits e7dc057 and 5f98ff9 in mlflow/mlflow repo). 2. ISOLATE: If immediate patching is blocked, firewall MLflow Tracking Server to restrict access to known internal CI/CD IPs only — block all external and lateral access. 3. LEAST PRIVILEGE: Audit MLflow service account permissions; revoke any cloud admin or broad S3/storage roles not strictly required. 4. DETECT: Search access logs for path traversal patterns in model creation API calls — look for '../', '%2e%2e', or unusual absolute paths. Set alerts on these patterns. 5. AUDIT FOR COMPROMISE: Inspect the MLflow host for unexpected files, new scheduled tasks, or anomalous outbound connections that may indicate prior exploitation. 6. ROTATE: As a precaution, rotate all credentials (cloud keys, DB passwords, API tokens) accessible from the MLflow host environment.

What systems are affected by CVE-2025-11201?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model registry, MLOps infrastructure, experiment tracking platforms, CI/CD ML pipelines.

What is the CVSS score for CVE-2025-11201?

CVE-2025-11201 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 25.04%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel registryMLOps infrastructureexperiment tracking platformsCI/CD ML pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.4, A.8.2

NIST AI RMF: GOVERN 6.1, MANAGE 2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of model file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26921.

Exploitation Scenario

Attacker scans cloud environments for MLflow Tracking Servers on default ports (5000/5001) using Shodan or targeted AWS/GCP enumeration. Sends a crafted HTTP POST to the model file creation endpoint with a path traversal payload (e.g., '../../etc/cron.d/backdoor' or a writable path outside the intended directory) to drop an arbitrary file on the server filesystem. No credentials or prior access required. Payload writes a reverse shell cron job or web shell. Attacker gains code execution as the MLflow service account and immediately queries the cloud metadata endpoint for IAM credentials, then exfiltrates model weights, training data, and stored experiment artifacts. Full attack chain executable in under five minutes with a basic proof-of-concept script.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.