Executive Summary

CVE-2025-15036 is a path traversal vulnerability in the MLflow project, specifically in the function extract_archive_to_dir that extracts tar archive files. The vulnerability occurs because the function does not validate the paths of files inside the tar archive before extraction.

An attacker who controls the tar.gz file can craft malicious archive contents with absolute paths, relative paths that escape the intended extraction directory, or symlinks that lead outside the extraction directory. Exploiting this, the attacker can overwrite arbitrary files on the system or gain elevated privileges, potentially escaping sandbox restrictions in multi-tenant or shared cluster environments.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized file overwrites and privilege escalation. An attacker exploiting this flaw can overwrite critical system or application files by placing malicious files outside the intended extraction directory.

In environments where MLflow is used in multi-tenant or shared clusters, this can lead to sandbox escapes, allowing attackers to access or modify data and resources belonging to other users or processes.

Overall, it can compromise system integrity, confidentiality, and availability, leading to potential data breaches, service disruptions, or unauthorized control over the affected system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting tar.gz archive files before extraction to check for unsafe paths that could lead to path traversal or symlink traversal attacks.

Specifically, you should look for tar archive members that have:

• Absolute paths starting with "/"
• Relative path components that escape the extraction directory, such as ".."
• Symlinks that point outside the intended extraction directory or files that traverse these symlinks

You can use the following commands to inspect tar files for suspicious paths:

• List all files in the tar archive with their paths: `tar -tf archive.tar.gz`
• Check for absolute paths: `tar -tf archive.tar.gz | grep '^/'`
• Check for path traversal sequences: `tar -tf archive.tar.gz | grep '\.\.'`
• Check for symlinks inside the archive: `tar -tvf archive.tar.gz | grep '^l'`

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade MLflow to version 3.7.0 or later, where the vulnerability has been fixed.

The fix includes a security check that validates tar archive contents before extraction, preventing extraction of files with absolute paths, path traversal sequences, or symlink traversal.

If upgrading is not immediately possible, avoid extracting tar.gz files from untrusted or unauthenticated sources, especially in multi-tenant or shared cluster environments.

Additionally, manually inspect tar archives for unsafe paths using commands like those suggested for detection before extraction.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to overwrite arbitrary files or gain elevated privileges by exploiting path traversal during archive extraction. This could lead to unauthorized access or modification of sensitive data.

Such unauthorized access or data manipulation can potentially violate data protection regulations like GDPR or HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access or alteration.

Therefore, if exploited, this vulnerability could compromise compliance with these standards by failing to ensure data integrity and confidentiality.

Useful 0 Not Useful 0