Remote Code Execution on Local System via MLproject YAML File
June 4, 2024
Products Impacted
This vulnerability was introduced in version 1.11.0 of MLflow.
CVSS Score: 8.8
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE Categorization
CWE-94: Improper Control of Generation of Code (‘Code Injection’).
Details
The vulnerability exists within the ML Project run procedure in the _run_entry_point function, within the projects/backend/local.py file.
def _run_entry_point(command, work_dir, experiment_id, run_id):
...
if os.name != "nt":
process = subprocess.Popen(["bash", "-c", command], close_fds=True, cwd=work_dir, env=env)
else:
process = subprocess.Popen(["cmd", "/c", command], close_fds=True, cwd=work_dir, env=env)An attacker can exploit this by creating an MLflow Project where the MLproject main entrypoint command contains arbitrary code (or an operating system appropriate command). The attacker could share this project with a victim, and when the victim runs mlflow run. from within the recipe directory, the code will be executed on the victim machine.
An example MLproject file:
name: RecipeTestingProject
conda_env: conda.yaml
entry_points:
main:
command: "python -c 'import os; os.system(\"ping -c 4 8.8.8.8\")'"Related SAI Security Advisory
November 26, 2025
Allowlist Bypass in Run Terminal Tool Allows Arbitrary Code Execution During Autorun Mode
When in autorun mode, Cursor checks commands sent to run in the terminal to see if a command has been specifically allowed. The function that checks the command has a bypass to its logic allowing an attacker to craft a command that will execute non-allowed commands.
October 17, 2025
Path Traversal in File Tools Allowing Arbitrary Filesystem Access
A path traversal vulnerability exists within Windsurf’s codebase_search and write_to_file tools. These tools do not properly validate input paths, enabling access to files outside the intended project directory, which can provide attackers a way to read from and write to arbitrary locations on the target user’s filesystem.