Detection Guidance

To detect this vulnerability, you should check the permissions of temporary directories created by mlflow, specifically those created by the functions get_or_create_nfs_tmp_dir() and _create_model_downloading_tmp_dir(). Look for directories with world-writable permissions (0o777) or group-writable permissions (0o770) in the relevant mlflow temporary directories.

• Use commands like `ls -ld /path/to/mlflow/tmp/*` to inspect directory permissions.
• Find directories with permissions 777 or 770 by running: `find /path/to/mlflow/tmp -type d \( -perm 0777 -o -perm 0770 \) -ls`.
• Check if your environment uses shared NFS mounts, as this vulnerability is critical in such setups.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in mlflow/mlflow versions prior to 3.11.0, where certain functions create temporary directories with insecure permissions. Specifically, the get_or_create_nfs_tmp_dir() function creates directories with world-writable permissions (0o777), and the _create_model_downloading_tmp_dir() function creates directories with group-writable permissions (0o770). These permissions allow local attackers to modify model artifacts, such as cloudpickle-serialized Python objects. When these tampered artifacts are deserialized using cloudpickle.load(), attackers can achieve arbitrary code execution.

The vulnerability is especially critical in environments with shared NFS mounts, like Databricks, where NFS is enabled by default. It is a continuation of a previously partially fixed vulnerability (CVE-2025-10279).

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow local attackers to tamper with model artifacts stored in temporary directories with insecure permissions. By modifying these artifacts, attackers can execute arbitrary code when the tampered artifacts are deserialized. This can lead to unauthorized code execution within the affected environment.

The impact is particularly severe in shared environments with NFS mounts, where multiple users have access to the same file system, increasing the risk of exploitation.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows local attackers to tamper with model artifacts and achieve arbitrary code execution in environments with shared NFS mounts. Such unauthorized access and manipulation of data could lead to breaches of confidentiality, integrity, and availability of sensitive information.

As a result, organizations using affected versions of mlflow may face challenges in maintaining compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data access and protection against unauthorized modification or execution of code.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading mlflow to version 3.11.0 or later, where the issue has been fixed.

If upgrading is not immediately possible, restrict permissions on the temporary directories created by mlflow to remove world-writable or group-writable access.

• Change permissions of the temporary directories to more restrictive settings, for example: `chmod 700 /path/to/mlflow/tmp/*`.
• Avoid running mlflow in environments with shared NFS mounts until the vulnerability is addressed.

Monitor and audit access to model artifacts to detect any unauthorized tampering.

Useful 0 Not Useful 0