Home / Vulnerability Intelligence / CVE-2025-15031

CVE-2025-15031 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 18, 2026

MLflow - Unrestricted File Upload

Published: March 18, 2026Updated: March 18, 2026

Overview

MLflow contains an unrestricted file upload caused by improper path validation in tarfile.extractall during pyfunc extraction, letting attackers write arbitrary files and potentially execute code remotely, exploit requires crafted tar.gz files.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Attackers can overwrite arbitrary files and potentially execute code remotely, risking full system compromise in multi-tenant or untrusted artifact scenarios.

Mitigation

Update to the latest version of MLflow.

References

https://huntr.com/bounties/09856f77-f968-446f-a930-657d126efe4e

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2025-15031
Severity: High
CVSS Score: 8.1
Type: unrestricted_file_upload
Status: new

CWE

CWE-22

CVSS Metrics

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N