A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_manager=LOCAL`, MLflow reads dependency specifications from the model artifact's `python_env.yaml` file and directly interpolates them into a shell command without sanitization. This allows an attacker to supply a malicious model artifact and achieve arbitrary command execution on systems that deploy the model. The vulnerability affects versions 3.8.0 and is fixed in version 3.8.2.
When deploying a model with the `env_manager=LOCAL` parameter, MLflow reads dependency specifications from the `python_env.yaml` file contained in the model artifact. The read values are then directly inserted into a shell command without any sanitization or input validation. An attacker can place maliciously crafted values containing shell control sequences in the `python_env.yaml` file, leading to the execution of arbitrary commands in the context of the system running the model.
An attacker can achieve full execution of arbitrary commands (RCE) on the system deploying the model, which can result in server takeover, data theft, environment integrity violation, or further lateral movement in the network.
MLflow should be updated to version 3.8.2, where the vulnerability has been fixed. Until the update is applied, avoid deploying models from untrusted sources and restrict the ability to use the `env_manager=LOCAL` parameter in production environments.
MLflow version 3.8.0 (vendor: Lfprojects)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLfprojects Mlflow
APPLfprojects3.8.0 – 3.8.1
Related vulnerabilities
MLflow: nieautoryzowany dostęp do endpointów multipart upload (RCE)
MLflow: nieprawidłowa walidacja origin umożliwia RCE przez cross-origin request
Brak uwierzytelnienia w endpointach FastAPI jobs w MLflow (Auth Bypass / RCE)
Path traversal w MLflow — nadpisanie plików i eskalacja uprawnień
MLflow: path traversal w ekstrakcji archiwów tar umożliwia RCE