AIKIDO-2025-11008
mlflow is vulnerable to Command Injection
87
High Risk
This Affects:
mlflowTL;DR
Affected versions of this package are vulnerable to command injection via malicious model artifacts. In the affected code, dependency specifications from a model’s python_env.yaml file were directly interpolated into a shell command when installing model dependencies. An attacker who can supply a crafted model artifact could include shell metacharacters (e.g., ;, |, backticks) in dependency strings, leading to arbitrary command execution during model deployment with env_manager=LOCAL. This PR fixes the issue by replacing vulnerable shell invocation with safe subprocess calls using structured argument lists parsed with shlex.split(), preventing injection of unintended commands.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
mlflow is vulnerable to Command Injection in versions 2.17.2 - 3.8.0.
How to fix this
Upgrade the mlflow library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant