Introduction
Remote code execution on a machine learning infrastructure can lead to loss of intellectual property, tampering with model integrity, or full compromise of production systems. CVE-2025-11201 demonstrates how improper input validation in a widely used ML platform can expose organizations to these risks without requiring any credentials.
MLflow is an open-source platform under the Linux Foundation, designed for managing the machine learning lifecycle. It is widely adopted in both research and industry, with a large user base and integrations across major ML frameworks. MLflow's Tracking Server component is frequently deployed as a central point for experiment tracking and model management.
Technical Information
CVE-2025-11201 is a directory traversal vulnerability within the MLflow Tracking Server's model creation process. The vulnerability arises from the failure to properly validate user-supplied file paths before using them in file operations. Specifically, the source parameter provided to model creation endpoints is not sanitized, allowing attackers to include directory traversal sequences such as ../.
By sending a crafted HTTP POST request to the model version creation endpoint and specifying a source value with traversal sequences, an attacker can escape the intended artifact directory. This enables them to write files to arbitrary locations on the server filesystem. If the attacker writes a file that is subsequently loaded by the Python interpreter (for example, a .py or .pth file in a directory within sys.path), arbitrary code execution occurs in the context of the MLflow service account.
This issue is categorized as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The vulnerability does not require authentication, significantly increasing its impact in exposed environments.
For more details, see the Zero Day Initiative advisory and the public patch commit.
Affected Systems and Versions
- MLflow Tracking Server is affected
- The vulnerability is present in versions prior to the public patch referenced in this commit
- All configurations where the Tracking Server is network-accessible and model creation endpoints are exposed are vulnerable
Vendor Security History
MLflow has a history of path traversal and file handling vulnerabilities, including:
- CVE-2023-1177: Path traversal in static file serving
- CVE-2023-6018: Arbitrary file write via artifact handling
- CVE-2024-1483: Path traversal via URI fragment
The vendor typically responds with timely patches and participates in coordinated disclosure programs such as the Zero Day Initiative.
