CVE-2025-10279

7.0 HIGH
Remote Code Execution

📋 TL;DR

This CVE describes a local privilege escalation vulnerability in mlflow versions before 3.4.0 where temporary directories for Python virtual environments are created with world-writable permissions (0o777). Attackers with write access to /tmp can exploit a race condition to overwrite .py files in virtual environments, leading to arbitrary code execution. This affects all mlflow deployments using vulnerable versions.

💻 Affected Systems

Products:
  • mlflow
Versions: All versions before 3.4.0, specifically including 2.20.3
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems where mlflow creates Python virtual environments, typically during model training or deployment workflows.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary code execution with the privileges of the mlflow process, potentially leading to data exfiltration, lateral movement, or complete system takeover.

🟠

Likely Case

Local privilege escalation allowing attackers to execute arbitrary code within the mlflow environment, potentially accessing sensitive data or disrupting operations.

🟢

If Mitigated

Limited impact if proper file system permissions restrict write access to /tmp directory and mlflow runs with minimal privileges.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access and write permissions to /tmp directory. Exploitation involves race condition timing.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.0

Vendor Advisory: https://github.com/mlflow/mlflow/commit/1d7c8d4cf0a67d407499a8a4ffac387ea4f8194a

Restart Required: Yes

Instructions:

1. Upgrade mlflow to version 3.4.0 or later using pip: 'pip install --upgrade mlflow>=3.4.0' 2. Restart all mlflow services and processes 3. Verify the fix by checking version with 'mlflow --version'

🔧 Temporary Workarounds

Secure /tmp directory permissions

linux

Restrict write access to /tmp directory to prevent unauthorized users from exploiting the race condition

chmod 1777 /tmp
chown root:root /tmp

Use alternative temporary directory

linux

Configure mlflow to use a secure temporary directory with restricted permissions

export TMPDIR=/secure/tmp/directory
mlflow server --temp-dir /secure/tmp/directory

🧯 If You Can't Patch

  • Run mlflow with minimal privileges using a dedicated service account with restricted file system access
  • Implement strict access controls on /tmp directory to prevent unauthorized write access by other users

🔍 How to Verify

Check if Vulnerable:

Check mlflow version: if version is less than 3.4.0, the system is vulnerable. Also verify if virtual environment directories in /tmp have 0o777 permissions during mlflow operations.

Check Version:

mlflow --version

Verify Fix Applied:

After upgrading to 3.4.0+, verify that temporary directories created by mlflow no longer have world-writable permissions (should be 0o700 or similar).

📡 Detection & Monitoring

Log Indicators:

  • Unusual file modifications in /tmp/mlflow* directories
  • Suspicious process creation from mlflow virtual environments
  • Permission change alerts on /tmp directories

Network Indicators:

  • Unexpected outbound connections from mlflow processes
  • Unusual data exfiltration patterns

SIEM Query:

source="mlflow.logs" AND (event="virtualenv_creation" OR event="tmp_directory_access") AND permissions="777"

📊 Metadata

CVE ID: CVE-2025-10279
CVSS v3 Score: 7.0 (HIGH)
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-379
Published: February 2, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This