CVE-2025-15379 is a critical command injection vulnerability identified in MLflow, an open-source platform widely used for managing the machine learning lifecycle. The flaw resides in the _install_model_dependencies_to_env() function within MLflow's model serving container initialization code. Specifically, when a model is deployed with the environment manager set to LOCAL, MLflow reads dependency specifications from the model artifact's python_env.yaml file. These dependencies are then directly interpolated into a shell command without any sanitization or validation. This unsafe handling allows an attacker who can supply a malicious model artifact to inject arbitrary shell commands, leading to remote code execution on the host system where the model is deployed. The vulnerability affects MLflow versions up to 3.8.0 and was addressed in version 3.8.2. The CVSS v3.0 base score is 10.0, reflecting its critical severity, with attack vector being network-based, no privileges or user interaction required, and full impact on confidentiality, integrity, and availability. Although no exploits have been observed in the wild yet, the vulnerability's nature and ease of exploitation make it a significant risk for organizations using MLflow for local model deployment.

The impact of CVE-2025-15379 is severe, as it allows unauthenticated attackers to execute arbitrary commands on systems running vulnerable MLflow versions. This can lead to complete system compromise, including data theft, destruction, or manipulation, lateral movement within networks, and disruption of machine learning workflows. Organizations relying on MLflow for model deployment, especially in local environments, risk exposure of sensitive data and operational downtime. The vulnerability undermines the integrity and availability of ML models and associated infrastructure, potentially affecting business-critical AI services. Given MLflow's popularity in industries like finance, healthcare, and technology, the threat could have widespread consequences if exploited at scale.

To mitigate this vulnerability, organizations should immediately upgrade MLflow to version 3.8.2 or later, where the issue is fixed. Additionally, implement strict validation and sanitization of all model artifacts before deployment, especially the python_env.yaml files, to prevent malicious content injection. Restrict model deployment permissions to trusted users and environments only. Employ containerization and sandboxing techniques to isolate model serving environments, limiting the impact of potential exploits. Monitor deployment logs for unusual command executions or anomalies. Incorporate automated security scanning of model artifacts in the CI/CD pipeline to detect malicious payloads early. Finally, maintain up-to-date backups and incident response plans tailored to ML infrastructure compromise scenarios.