AI Threat Alert

CVE-2025-8917: clearml: path traversal in safe_extract → RCE risk

GHSA-579p-qf78-fqm2 MEDIUM PoC AVAILABLE CISA: ATTEND
Published October 5, 2025
CISO Take

Upgrade clearml to 2.0.2 immediately — the `safe_extract` path traversal allows crafted artifacts (models, datasets) to overwrite arbitrary files on extraction, achieving RCE on any host that processes them. The real threat vector is not a direct attacker but a poisoned artifact in your shared experiment store triggering file writes during automated pipeline execution. EPSS is negligible and no active exploitation observed, but MLOps pipelines that auto-extract artifacts from external or shared sources should treat this as higher priority than the score indicates.

What is the risk?

CVSS 5.8 understates real-world risk in collaborative MLOps environments. The local attack vector assumes single-machine exploitation, but clearml instances routinely auto-extract artifacts from shared repositories, effectively broadening the attack surface to anyone who can push artifacts to your clearml server. Post-exploitation Confidentiality and Integrity impact is High — filesystem overwrites can yield persistent access. Low EPSS (0.00027) and no KEV listing confirm no active exploitation, but the symlink/hardlink → path traversal → RCE chain is well-understood and reproducible by moderately skilled attackers.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
ClearML pip < 2.0.2 2.0.2
6.7K OpenSSF 5.0 25 dependents Pushed 6d ago 100% patched ~2d to patch Full package profile →

Do you use ClearML? You're affected.

How severe is it?

CVSS 3.1
5.8 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 18% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR High
UI Required
S Unchanged
C High
I High
A None

What should I do?

6 steps

  1. Patch: Run pip install --upgrade clearml to reach 2.0.2 across all environments (dev, CI/CD, training servers, inference hosts).

  2. Audit: Run pip show clearml to confirm version; flag any < 2.0.2 as critical.

  3. Artifact inspection: Review recently extracted archives for unexpected symlinks or files written outside extraction directories.

  4. Detection: Alert on unusual file writes by clearml worker processes — especially targeting /etc/, ~/.ssh/, Python site-packages, or cron directories.

  5. Hardening: Run clearml workers in containers with read-only host filesystem mounts and least-privilege service accounts.

  6. Provenance controls: Enforce that workers only extract artifacts from authenticated, internal clearml servers — block external artifact sources at the network layer.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Framework Training Data AML.T0010.001 AML.T0010.003 AML.T0011.001 AML.T0105

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.10.1 - Information security measures for AI systems
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain deployed AI system value
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-8917?

Upgrade clearml to 2.0.2 immediately — the `safe_extract` path traversal allows crafted artifacts (models, datasets) to overwrite arbitrary files on extraction, achieving RCE on any host that processes them. The real threat vector is not a direct attacker but a poisoned artifact in your shared experiment store triggering file writes during automated pipeline execution. EPSS is negligible and no active exploitation observed, but MLOps pipelines that auto-extract artifacts from external or shared sources should treat this as higher priority than the score indicates.

Is CVE-2025-8917 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-8917, increasing the risk of exploitation.

How to fix CVE-2025-8917?

1. Patch: Run `pip install --upgrade clearml` to reach 2.0.2 across all environments (dev, CI/CD, training servers, inference hosts). 2. Audit: Run `pip show clearml` to confirm version; flag any < 2.0.2 as critical. 3. Artifact inspection: Review recently extracted archives for unexpected symlinks or files written outside extraction directories. 4. Detection: Alert on unusual file writes by clearml worker processes — especially targeting /etc/, ~/.ssh/, Python site-packages, or cron directories. 5. Hardening: Run clearml workers in containers with read-only host filesystem mounts and least-privilege service accounts. 6. Provenance controls: Enforce that workers only extract artifacts from authenticated, internal clearml servers — block external artifact sources at the network layer.

What systems are affected by CVE-2025-8917?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, ml ops tooling, model registry, experiment tracking.

What is the CVSS score for CVE-2025-8917?

CVE-2025-8917 has a CVSS v3.1 base score of 5.8 (MEDIUM). The EPSS exploitation probability is 0.27%.

What is the AI security impact?

Affected AI Architectures

training pipelinesml ops toolingmodel registryexperiment tracking

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0010.003 Model
AML.T0011.001 Malicious Package
AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.10.1
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

A vulnerability in clearml versions before 2.0.2 allows for path traversal due to improper handling of symbolic and hard links in the `safe_extract` function. This flaw can lead to arbitrary file writes outside the intended directory, potentially resulting in remote code execution if critical files are overwritten.

Exploitation Scenario

Adversary targets a data science team using shared clearml experiment tracking. They compromise a clearml artifact store (or publish a poisoned pre-trained model to a public registry the team imports). The malicious artifact is a tarball embedding a symlink: `./model.pt → /home/mlworker/.ssh/authorized_keys`. When a clearml worker automatically downloads and extracts this artifact during a scheduled training run, `safe_extract` follows the symlink — writing an adversary-controlled SSH public key to the host. Adversary gains persistent SSH access to the training server and from there can pivot to the broader ML infrastructure, exfiltrate proprietary models, or inject poisoned weights into downstream pipelines.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

References

Timeline

Published
October 5, 2025
Last Modified
October 7, 2025
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Supply Chain
CRITICAL CVE-2024-2912 10.0

BentoML: RCE via insecure deserialization (CVSS 10)

Same attack type: Supply Chain
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Supply Chain
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Code Execution
Back to Threat Feed