CVE-2025-11201 Overview
CVE-2025-11201 is a critical directory traversal vulnerability in MLflow Tracking Server that enables remote code execution on affected installations. The vulnerability exists within the handling of model file paths during model creation operations. Due to insufficient validation of user-supplied paths prior to file operations, unauthenticated remote attackers can traverse directory structures and execute arbitrary code in the context of the MLflow service account.
MLflow is a widely-used open-source platform for managing machine learning workflows, including experiment tracking, model registry, and deployment. This vulnerability poses significant risk to organizations leveraging MLflow for their ML pipelines, as successful exploitation grants attackers the ability to execute code without any authentication requirements.
Critical Impact
Unauthenticated remote attackers can achieve arbitrary code execution on MLflow Tracking Server installations through directory traversal in model file path handling, potentially compromising ML infrastructure and sensitive training data.
Affected Products
- LFProjects MLflow (all versions prior to the security patch)
- MLflow Tracking Server deployments exposed to network access
- Self-hosted and cloud-deployed MLflow instances
Discovery Timeline
- 2025-10-29 - CVE CVE-2025-11201 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2025-11201
Vulnerability Analysis
This vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal or directory traversal. The flaw resides in the model version creation endpoint (/mlflow/model-versions/create) where the source parameter lacks proper validation before being used in file system operations.
When a model version is created in MLflow, the server accepts a source path parameter that specifies the location of model artifacts. The vulnerable code fails to sanitize this input, allowing attackers to craft malicious paths containing directory traversal sequences (e.g., ../) to escape the intended directory structure. This enables writing files to arbitrary locations on the server's file system.
The vulnerability is particularly severe because MLflow Tracking Server typically runs with elevated permissions to manage model artifacts and experiment data. An attacker exploiting this flaw can place malicious files in strategic locations to achieve code execution when those files are subsequently processed by the server or other system components.
Root Cause
The root cause of CVE-2025-11201 is the absence of input validation on the source parameter in the model version creation API endpoint. The MLflow server directly uses the user-supplied path value in file operations without verifying that the resolved path remains within the expected model storage directory. This allows path traversal sequences to redirect file operations outside the intended boundaries.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can send a specially crafted HTTP request to the MLflow Tracking Server's /mlflow/model-versions/create endpoint with a malicious source parameter containing directory traversal sequences. The attack exploits the lack of path canonicalization and boundary checking in the file handling logic.
The security patch introduces a new environment variable MLFLOW_CREATE_MODEL_VERSION_SOURCE_VALIDATION_REGEX that allows administrators to enforce validation on the source parameter using a regular expression pattern:
#: If specified, tracking server rejects model `/mlflow/model-versions/create` requests with
#: a source that does not match the specified regular expression.
#: (default: ``None``).
MLFLOW_CREATE_MODEL_VERSION_SOURCE_VALIDATION_REGEX = _EnvironmentVariable(
"MLFLOW_CREATE_MODEL_VERSION_SOURCE_VALIDATION_REGEX", str, None
)
Source: GitHub Commit 2e02bc7
The fix also updates the server handlers to import and utilize this validation mechanism:
from mlflow.environment_variables import (
MLFLOW_CREATE_MODEL_VERSION_SOURCE_VALIDATION_REGEX,
MLFLOW_DEPLOYMENTS_TARGET,
)
Source: GitHub Commit 2e02bc7
Detection Methods for CVE-2025-11201
Indicators of Compromise
- HTTP requests to /mlflow/model-versions/create containing path traversal sequences such as ../, ..%2f, or ..%5c in the source parameter
- Unexpected files appearing outside the designated MLflow artifact storage directories
- Anomalous file write operations by the MLflow service account to system or configuration directories
- Web server access logs showing repeated requests to model-related API endpoints with unusual parameter values
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing directory traversal patterns in API parameters
- Monitor file integrity on critical system directories for unauthorized modifications by the MLflow service account
- Deploy network intrusion detection signatures for path traversal attack patterns targeting MLflow endpoints
- Enable detailed access logging on the MLflow Tracking Server and correlate with baseline activity patterns
Monitoring Recommendations
- Configure SIEM alerts for file system access events outside normal MLflow artifact directories
- Monitor process execution initiated by the MLflow service account for suspicious child processes
- Track API request patterns to the model-versions endpoint for anomalous source parameter values
- Implement egress monitoring for potential post-exploitation command and control communications
How to Mitigate CVE-2025-11201
Immediate Actions Required
- Apply the security patch from the MLflow GitHub repository immediately
- Configure the MLFLOW_CREATE_MODEL_VERSION_SOURCE_VALIDATION_REGEX environment variable to restrict allowed source paths
- Restrict network access to MLflow Tracking Server to trusted networks and users only
- Review server logs for evidence of exploitation attempts or successful compromise
Patch Information
The vulnerability has been addressed in a commit to the MLflow repository. The patch introduces the MLFLOW_CREATE_MODEL_VERSION_SOURCE_VALIDATION_REGEX environment variable, which enables administrators to specify a regular expression pattern that model version source parameters must match. Requests with source values that do not conform to the configured pattern are rejected by the server.
For detailed patch information, refer to the GitHub commit and the Zero Day Initiative Advisory ZDI-25-931.
Workarounds
- Deploy a reverse proxy or WAF in front of MLflow to filter requests containing path traversal patterns
- Implement network segmentation to isolate MLflow Tracking Server from untrusted networks
- Run MLflow with minimal file system permissions using a dedicated service account with restricted write access
- Disable or restrict access to the model-versions API endpoint if not actively required
# Configuration example - Set source validation regex
export MLFLOW_CREATE_MODEL_VERSION_SOURCE_VALIDATION_REGEX="^/allowed/model/path/.*$"
# Restart MLflow Tracking Server with the new configuration
mlflow server --host 0.0.0.0 --port 5000
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
