5 matches found
CVE-2025-15031
A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of tarfile.extractall without path validation enables crafted tar.gz files containing .. or absolute paths to escape the intended extractio...
abadpour (>=6.13.1 <=7.24.1), abcli (>=9.273.1 <=9.572.1) +766 more potentially affected by CVE-2025-15031 via mlflow-skinny (>=3.0.0 <=3.9.0)
mlflow-skinny PYPI version =3.0.0, =6.13.1, =9.273.1, =2.0.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.1.0, =1.0.0, =1.1.0, =0.1.0, =1.0.0, =1.0.1 and more Source cves: CVE-2025-15031 Source advisory: SNYK:PYTHON-MLFLOWSKINNY-16698159...
abadpour (>=6.13.1 <=7.24.1), abcli (>=9.273.1 <=9.572.1) +702 more potentially affected by CVE-2025-15031 via mlflow (>=3.0.0rc2 <=3.9.0)
mlflow PYPI version =3.0.0rc2, =6.13.1, =9.273.1, =2.0.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.1.0, =1.0.0, =1.1.0, =0.1.0, =1.0.0, =1.0.1 and more Source cves: CVE-2025-15031 Source advisory: SNYK:PYTHON-MLFLOW-15700505...
a2 (>=0.1.0 <=0.3.17), abadpour (>=6.13.1 <=7.24.1) +952 more potentially affected by CVE-2025-15031 via mlflow (>=0.8.2 <=3.9.0)
mlflow PYPI version =0.8.2, =0.1.0, =6.13.1, =9.273.1, =1.1.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.0.5, =1.0.0, =0.1.0, =1.1.1 - ai-helpers-pytorch-utils =0.1.0a1 - ailine-core =0.5.5 and more Source cves: CVE-2025-15031 Source advisory: OSV:GHSA-FHFF-QMM8-H2FP...
CVE-2025-15031 Path Traversal Vulnerability in mlflow/mlflow
A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of tarfile.extractall without path validation enables crafted tar.gz files containing .. or absolute paths to escape the intended extractio...