CVE-2025-10279

Name of the Vulnerable Software and Affected Versions mlflow versions prior to 3.4.0

Description A flaw exists in mlflow version 2.20.3 where the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions (0o777). This allows an attacker with write access to the /tmp directory to exploit a race condition and overwrite .py files within the virtual environment, potentially leading to arbitrary code execution.

Recommendations Update to mlflow version 3.4.0 or later.