CVE-2025-14287 in MLflow
Summary
by MITRE • 03/16/2026
A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization, which are then executed using `os.system()`. This allows attackers to execute arbitrary commands by supplying malicious input through the `--container` parameter of the CLI. The issue affects environments where MLflow is used, including development setups, CI/CD pipelines, and cloud deployments.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/16/2026
This command injection vulnerability in mlflow/mlflow versions prior to v3.7.0 represents a critical security flaw that directly impacts the integrity and confidentiality of machine learning deployment environments. The vulnerability exists within the sagemaker module where user-supplied container image names are directly interpolated into shell commands without proper input validation or sanitization. The specific location in mlflow/sagemaker/_init_.py at lines 161-167 demonstrates a classic insecure coding pattern where external input flows directly into system execution contexts, creating a pathway for arbitrary code execution that aligns with CWE-78, which specifically addresses improper neutralization of special elements used in OS commands.
The technical implementation of this vulnerability leverages the os.system() function to execute shell commands constructed from user-provided parameters, particularly the --container CLI argument. When an attacker supplies malicious input through this parameter, the system does not properly sanitize or escape the container image name before incorporating it into shell command strings. This creates a scenario where command injection becomes possible through simple input manipulation, allowing attackers to execute arbitrary shell commands with the privileges of the mlflow process. The vulnerability is particularly dangerous in CI/CD environments where mlflow is used for automated deployment, as it could enable attackers to compromise entire build pipelines and access sensitive infrastructure resources.
The operational impact of this vulnerability extends across multiple deployment scenarios including development environments, continuous integration systems, and cloud-based machine learning platforms. Attackers could potentially execute commands that read sensitive configuration files, exfiltrate model data, install backdoors, or even compromise underlying cloud infrastructure. In cloud deployments using AWS SageMaker integration, this vulnerability could allow attackers to escalate privileges and access other resources within the same account, as the mlflow process would typically run with sufficient permissions to interact with cloud services. The vulnerability affects not just individual installations but entire deployment ecosystems where mlflow is integrated into automated workflows.
Mitigation strategies for this vulnerability require immediate patching to mlflow version 3.7.0 or later where the command injection issue has been resolved through proper input sanitization and parameter handling. Organizations should implement comprehensive input validation for all user-supplied parameters, particularly those used in system command execution contexts. The fix should employ proper escaping mechanisms and avoid direct shell command construction from user input, instead utilizing safer alternatives such as subprocess with proper argument handling or direct API calls where possible. Additionally, implementing principle of least privilege for mlflow processes, network segmentation, and monitoring for unusual command execution patterns can help detect and prevent exploitation attempts. This vulnerability aligns with ATT&CK technique T1059.001 for command and script injection, making it a significant concern for organizations following security frameworks that emphasize prevention of execution-based attacks.