CVE-2025-15379: Critical CVSS 10.0 Command Injection in MLflow Model Serving
Summary
CVE-2025-15379 is a CVSS 10.0 command injection vulnerability in MLflow's model serving container initialization code, allowing unauthenticated remote attackers to execute arbitrary commands. MLflow is widely used in enterprise AI/ML pipelines for experiment tracking and model deployment. The vulnerability poses a critical risk to organizations running MLflow in production environments.
Threat Analysis
CVE-2025-15379 is a maximum-severity (CVSS 10.0) command injection vulnerability in MLflow, the popular open-source platform for managing the machine learning lifecycle. The vulnerability exists in MLflow's model serving container initialization code.
Affected Products: MLflow model serving components. MLflow is widely deployed in enterprise AI/ML pipelines across industries including finance, healthcare, and technology.
Vulnerability Details: The command injection flaw allows unauthenticated remote attackers to execute arbitrary system commands through specially crafted requests to the model serving endpoint. Successful exploitation could lead to complete server compromise, data exfiltration of ML models and training data, and lateral movement within the hosting environment.
Risk Context: MLflow deployments often have access to sensitive training datasets, proprietary model weights, and cloud credentials (AWS, Azure, GCP). Compromise of an MLflow server could expose valuable intellectual property and enable further attacks on connected cloud infrastructure.
Recommended Mitigations: Update MLflow to the latest patched version immediately. Restrict network access to MLflow serving endpoints — never expose them publicly without authentication. Implement network segmentation to isolate MLflow from production systems. Review MLflow deployment configurations and apply principle of least privilege to service accounts.