High severity7.0NVD Advisory· Published Feb 2, 2026· Updated Apr 14, 2026
CVE-2025-10279
CVE-2025-10279
Description
In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions (0o777). This vulnerability allows an attacker with write access to the /tmp directory to exploit a race condition and overwrite .py files in the virtual environment, leading to arbitrary code execution. The issue is resolved in version 3.4.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mlflowPyPI | < 3.4.0rc0 | 3.4.0rc0 |
Affected products
3- osv-coords2 versions
< 3.4.0+ 1 more
- (no CPE)range: < 3.4.0
- (no CPE)range: < 3.4.0rc0
Patches
Vulnerability mechanics
References
4- github.com/mlflow/mlflow/commit/1d7c8d4cf0a67d407499a8a4ffac387ea4f8194anvdPatchWEB
- github.com/advisories/GHSA-4x5p-f36r-mxxrghsaADVISORY
- huntr.com/bounties/01d3b81e-13d1-43aa-b91a-443aec68bdc8nvdThird Party AdvisoryExploitWEB
- nvd.nist.gov/vuln/detail/CVE-2025-10279ghsaADVISORY
News mentions
0No linked articles in our index yet.