CVE-2025-15036 Overview
A path traversal vulnerability exists in the extract_archive_to_dir function within the mlflow/pyfunc/dbconnect_artifact_cache.py file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments.
Critical Impact
Attackers can exploit this path traversal vulnerability to write arbitrary files outside the intended extraction directory, potentially leading to remote code execution, privilege escalation, or sandbox escape in shared cluster environments.
Affected Products
- MLflow versions prior to v3.7.0
- Systems using the dbconnect_artifact_cache module for artifact extraction
- Multi-tenant or shared cluster environments running vulnerable MLflow instances
Discovery Timeline
- 2026-03-30 - CVE CVE-2025-15036 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2025-15036
Vulnerability Analysis
This vulnerability is classified as CWE-29 (Path Traversal: '..\filename'), a critical weakness that allows attackers to access or overwrite files outside the intended directory structure. The vulnerable function extract_archive_to_dir processes tar.gz archive files without properly validating the paths of archived members before extraction.
When a user or automated process extracts a maliciously crafted tar archive, the attacker-controlled file paths can traverse out of the designated extraction directory using path manipulation techniques such as ../ sequences, absolute paths, or symbolic link exploitation. This is particularly dangerous in MLflow deployments where artifact caching is used in shared environments.
Root Cause
The root cause of this vulnerability is the absence of security checks on tar file members before extraction. The original implementation in dbconnect_artifact_cache.py extracted tar archives directly without verifying that:
- Member paths are not absolute (starting with /)
- Member paths do not escape the extraction directory using .. sequences
- Member paths do not traverse through symbolic links that could redirect writes to arbitrary locations
This missing validation allowed malicious tar files to specify destination paths outside the intended extraction sandbox.
Attack Vector
The attack vector is network-based, requiring user interaction to process a malicious tar.gz file. An attacker can craft a tar archive containing members with manipulated paths designed to escape the extraction directory. When this archive is processed by the vulnerable extract_archive_to_dir function, files are written to attacker-controlled locations on the filesystem.
In multi-tenant MLflow environments, this could allow:
- Escaping container or sandbox boundaries
- Overwriting configuration files to achieve code execution
- Modifying other tenants' artifacts or data
- Privilege escalation through overwriting system files
# Security patch - Added import for security check function
# Source: https://github.com/mlflow/mlflow/commit/3bf6d81ac4d38654c8ff012dbd0c3e9f17e7e346
import tarfile
from mlflow.utils.databricks_utils import is_in_databricks_runtime
-from mlflow.utils.file_utils import get_or_create_tmp_dir
+from mlflow.utils.file_utils import check_tarfile_security, get_or_create_tmp_dir
_CACHE_MAP_FILE_NAME = "db_connect_artifact_cache.json"
# Security patch - New check_tarfile_security function implementation
# Source: https://github.com/mlflow/mlflow/commit/3bf6d81ac4d38654c8ff012dbd0c3e9f17e7e346
def check_tarfile_security(archive_path: str) -> None:
"""
Check the tar file content.
If its members contain any of the following paths:
* An absolute path.
* A relative path that escapes the extraction directory.
* A relative path that goes through a symlink.
then raise an error.
"""
with tarfile.open(archive_path, "r") as tar:
symlink_set = set()
for m in tar.getmembers():
path = posixpath.normpath(m.name)
if m.issym():
symlink_set.add(path)
else:
if path.startswith("/"):
raise MlflowException(
"Absolute path destination in the archive file is not allowed, "
f"but got path {path}."
)
path_parts = path.split("/")
if path_parts[0] == "..":
raise MlflowException(
"Escaped path destination in the archive file is not allowed, "
Detection Methods for CVE-2025-15036
Indicators of Compromise
- Unexpected files appearing outside MLflow artifact cache directories
- Tar archive extraction operations writing to system directories or parent paths
- Modified configuration files or scripts in MLflow deployment directories
- Evidence of symbolic link creation followed by tar extraction operations
Detection Strategies
- Monitor file system activity during artifact cache operations for writes outside designated directories
- Implement audit logging for tar archive extractions in MLflow environments
- Review MLflow logs for extraction operations involving archives from untrusted sources
- Deploy file integrity monitoring on critical system and configuration files
Monitoring Recommendations
- Enable verbose logging for the dbconnect_artifact_cache module to track archive extraction activities
- Configure alerts for file modifications in sensitive directories following MLflow artifact operations
- Implement network monitoring to detect suspicious artifact uploads containing potential path traversal payloads
- Regularly audit MLflow artifact storage for anomalous file patterns or unexpected symbolic links
How to Mitigate CVE-2025-15036
Immediate Actions Required
- Upgrade MLflow to version v3.7.0 or later immediately
- Audit existing artifact caches for any signs of exploitation or unexpected files
- Review access controls on artifact upload functionality to limit exposure
- Implement network segmentation to isolate MLflow services from sensitive systems
Patch Information
The vulnerability has been addressed in MLflow version v3.7.0. The fix introduces a new check_tarfile_security function in mlflow/utils/file_utils.py that validates all tar archive members before extraction. This function rejects archives containing:
- Absolute paths
- Relative paths that escape the extraction directory via .. sequences
- Paths that traverse through symbolic links
For technical details on the patch, see the GitHub commit 3bf6d81 and the Huntr security bounty report.
Workarounds
- If immediate upgrade is not possible, restrict artifact upload capabilities to trusted users only
- Implement external archive validation before processing in MLflow pipelines
- Deploy MLflow in isolated environments with limited filesystem access
- Use read-only filesystem mounts for critical system directories in containerized deployments
# Configuration example - Verify MLflow version and upgrade
pip show mlflow | grep Version
pip install --upgrade mlflow>=3.7.0
# Verify the patch is applied by checking for the security function
python -c "from mlflow.utils.file_utils import check_tarfile_security; print('Patch verified')"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
