Path Traversal: '\..\filename'

CVE-2025-15036

High

9.6/10

Summary

A Path Traversal vulnerability exists in the "extract_archive_to_dir" function within the "mlflow/pyfunc/dbconnect_artifact_cache.py" file of the "mlflow/mlflow" repository. Prior to version 3.7.0, the application does not validate tar member paths during extraction. An attacker who controls a ".tar.gz" file may exploit this issue to overwrite arbitrary files or gain elevated privileges, potentially escaping the sandbox directory in multi-tenant or shared cluster environments.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: CHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-29 - Path Traversal: '\..\filename'

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.

References

Advisory Timeline

Published Mar 30, 2026

Path Traversal: '\..\filename'

CVE-2025-15036

Summary

CWE-29 - Path Traversal: '\..\filename'

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS