- CVSS
- CRITICAL · 9.8 v3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Published
- 2026-03-30
- Weakness
- CWE-77
- Source
- nvd.nist.gov/vuln/detail/CVE-2025-15379
Description
A command injection vulnerability exists in MLflow’s model serving container initialization code, specifically in the _install_model_dependencies_to_env() function. When deploying a model with env_manager=LOCAL, MLflow reads dependency specifications from the model artifact’s python_env.yaml file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2.
References
How GTK Cyber trains on this
AI security training at GTK Cyber covers the LLM and ML-pipeline vulnerability classes that vulnerabilities like CVE-2025-15379 fall into. Our hands-on courses are taught by Charles Givre and other practitioners who break and defend production AI systems.