CVE-2025-15036 is a critical path traversal vulnerability identified in the mlflow/mlflow open-source project, specifically within the extract_archive_to_dir function located in the mlflow/pyfunc/dbconnect_artifact_cache.py file. The vulnerability arises because the function does not properly validate the paths of members inside tar.gz archives before extraction. This lack of validation allows an attacker who can supply a malicious tar.gz archive to craft file paths containing sequences like "\..\filename" or "../filename" that traverse directories outside the intended extraction directory. Consequently, the attacker can overwrite arbitrary files on the host filesystem, potentially including sensitive configuration files, binaries, or system files. This can lead to privilege escalation, arbitrary code execution, or sandbox escape, especially in multi-tenant or shared cluster environments where mlflow is used to manage machine learning artifacts. The vulnerability affects all versions of mlflow prior to v3.7.0, where the issue was addressed. The CVSS v3.0 base score is 9.6, reflecting the vulnerability's ease of remote exploitation (no privileges required), the need for user interaction (triggering extraction), and the critical impact on confidentiality, integrity, and availability. Although no known exploits have been reported in the wild, the vulnerability's nature and severity make it a high-risk threat for organizations relying on mlflow for artifact management in data science workflows.

The impact of CVE-2025-15036 is severe for organizations using mlflow in their machine learning lifecycle management, particularly in environments where multiple tenants or users share infrastructure. Exploitation can lead to arbitrary file overwrite, resulting in unauthorized modification or deletion of critical files, potentially causing system instability or denial of service. More critically, attackers can escalate privileges or execute arbitrary code by overwriting binaries or configuration files, leading to full system compromise. In cloud or containerized environments, this can allow attackers to escape sandbox restrictions, compromising other tenants or workloads on the same host. The breach of confidentiality, integrity, and availability can disrupt business operations, lead to data breaches, and cause significant reputational and financial damage. Given mlflow's widespread use in data science and AI workflows globally, the vulnerability poses a substantial risk to organizations relying on these technologies for critical decision-making and product development.

To mitigate CVE-2025-15036, organizations should immediately upgrade mlflow to version 3.7.0 or later, where the vulnerability has been patched with proper validation of archive paths during extraction. Until upgrading is possible, implement strict input validation and sanitization on any tar.gz files used with mlflow, ensuring no path traversal sequences exist in archive member names. Employ runtime protections such as containerization with strict filesystem permissions and mandatory access controls (e.g., SELinux, AppArmor) to limit the impact of potential exploitation. Monitor logs for unusual file extraction activities or unexpected modifications to critical files. Restrict access to artifact upload and extraction functionalities to trusted users only, and consider implementing network segmentation to isolate mlflow servers from sensitive infrastructure. Regularly audit and review artifact repositories for suspicious or malformed archives. Finally, educate data science and DevOps teams about the risks of untrusted artifact sources and enforce secure artifact handling policies.