CVE-2025-10279 Overview
A race condition vulnerability exists in MLflow version 2.20.3 due to insecure world-writable permissions (0o777) assigned to temporary directories used for creating Python virtual environments. This vulnerability allows an attacker with local write access to the /tmp directory to exploit a Time-of-Check Time-of-Use (TOCTOU) race condition and overwrite .py files in the virtual environment, leading to arbitrary code execution.
Critical Impact
Local attackers with write access to /tmp can achieve arbitrary code execution by exploiting insecure temporary directory permissions in MLflow's virtual environment creation process.
Affected Products
- MLflow version 2.20.3
- MLflow versions prior to 3.4.0
Discovery Timeline
- 2026-02-02 - CVE CVE-2025-10279 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2025-10279
Vulnerability Analysis
The vulnerability stems from improper handling of temporary directory permissions in MLflow's file utilities. When MLflow creates temporary directories for Python virtual environments, it uses tempfile.mkdtemp() followed by an explicit permission change to 0o777 (world-writable). This design choice, originally intended to ensure visibility in Spark UDF contexts, creates a significant security weakness.
The insecure permissions enable a local attacker to monitor the /tmp directory for newly created MLflow virtual environment directories and inject malicious Python code before the legitimate application processes execute. This classic TOCTOU (CWE-379) vulnerability allows privilege escalation through code injection into the execution pipeline.
Root Cause
The root cause is the explicit os.chmod(tmp_dir, 0o777) call that grants world-readable, world-writable, and world-executable permissions to the temporary directory. While tempfile.mkdtemp() creates directories with secure 0o700 permissions by default, the subsequent chmod operation weakens this protection to accommodate Spark UDF requirements without considering the security implications.
Attack Vector
The attack requires local access to the system with write permissions to the /tmp directory. An attacker can exploit this vulnerability by:
- Monitoring the /tmp directory for newly created MLflow temporary directories
- Detecting when a new virtual environment directory is created with 0o777 permissions
- Racing to overwrite .py files within the virtual environment before they are executed
- Achieving arbitrary code execution when MLflow processes the modified Python files
else:
tmp_dir = tempfile.mkdtemp()
# mkdtemp creates a directory with permission 0o700
- # change it to be 0o777 to ensure it can be seen in spark UDF
- os.chmod(tmp_dir, 0o777)
+ # For Spark UDFs, we need to make it accessible to other processes
+ # Use 0o750 (owner: rwx, group: r-x, others: None) instead of 0o777
+ # This allows read/execute but not write for group and others
+ os.chmod(tmp_dir, 0o750)
atexit.register(shutil.rmtree, tmp_dir, ignore_errors=True)
return tmp_dir
Source: GitHub Commit Update
Detection Methods for CVE-2025-10279
Indicators of Compromise
- Unexpected modifications to Python files in MLflow temporary directories under /tmp
- Unusual process execution patterns originating from MLflow virtual environment directories
- File system monitoring alerts showing rapid file modifications in /tmp directories with MLflow-related naming patterns
- Evidence of directory permission monitoring scripts or tools targeting /tmp
Detection Strategies
- Monitor file integrity of Python files within MLflow temporary directories using file integrity monitoring (FIM) solutions
- Implement audit logging for file permission changes and file modifications in /tmp directories
- Deploy endpoint detection rules to identify suspicious write operations to temporary virtual environment directories
- Configure SentinelOne behavioral AI to detect anomalous code execution patterns from temporary directories
Monitoring Recommendations
- Enable comprehensive audit logging for /tmp directory operations on systems running MLflow
- Implement real-time alerting for world-writable permission assignments to directories in /tmp
- Monitor for unusual Python interpreter executions originating from temporary directories
- Use SentinelOne's Deep Visibility to track process lineage and identify suspicious execution chains
How to Mitigate CVE-2025-10279
Immediate Actions Required
- Upgrade MLflow to version 3.4.0 or later immediately
- Audit systems for evidence of exploitation by checking for unauthorized modifications in /tmp
- Restrict local access to systems running vulnerable MLflow versions
- Implement additional access controls on the /tmp directory where feasible
Patch Information
The vulnerability is resolved in MLflow version 3.4.0. The fix changes the temporary directory permissions from 0o777 to 0o750, which allows read/execute access for the group but removes write permissions for group and others entirely. This maintains compatibility with Spark UDFs while eliminating the race condition attack surface. The patch is available via the GitHub Commit Update.
Workarounds
- If immediate upgrade is not possible, consider implementing system-level restrictions on /tmp directory access
- Use dedicated, isolated systems for MLflow workloads to limit local attacker access
- Configure mount options for /tmp with noexec where application compatibility allows
- Implement additional monitoring and alerting for temporary directory operations as an interim control
# Configuration example
# Upgrade MLflow to patched version
pip install --upgrade mlflow>=3.4.0
# Verify installed version
pip show mlflow | grep Version
# Alternative: Restrict /tmp permissions at system level (may impact other applications)
# mount -o remount,nosuid,nodev /tmp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
