CVE-2025-15036

Published: Mar 30, 2026 Last Modified: Mar 30, 2026

ExploitDB:

Other exploit source:

Google Dorks:

CRITICAL 9,6

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: required

Scope: changed

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extraction. An attacker with control over the tar.gz file can exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments.

Path Traversal: '\..\filename'

Incomplete

Abstraction: Variant Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity

Potential Impacts:

Read Files Or Directories Modify Files Or Directories

Applicable Platforms

All platforms may be affected

View CWE Details

https://github.com/mlflow/mlflow/commit/3bf6d81ac4d38654c8f…

https://github.com/mlflow/mlflow/commit/3bf6d81ac4d38654c8ff012dbd0c3e9f17e7e346

https://huntr.com/bounties/36c314cf-fd6e-4fb0-b9b0-1b47bcdf…

https://huntr.com/bounties/36c314cf-fd6e-4fb0-b9b0-1b47bcdf0eb0

CVE-2025-15036

Description

Path Traversal: '\..\filename'

Common Consequences

Applicable Platforms

Iscriviti alla newsletter