Is mlflow affected by CVE-2025-11201?

PyPI mlflow is affected in >=3.0.0rc0 <3.0.0, <2.22.4.

Is CVE-2025-11201 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 25.0%.

high

CVE-2025-11201

Q: Is CVE-2025-11201 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 25.0%.

PyPI · mlflow

Summary

MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability

Severity: high
EPSS: 25.0% (p98)
Also known as: GHSA-5cvj-7rg6-jggj, BIT-mlflow-2025-11201
Published: 2025-10-29

References

https://nvd.nist.gov/vuln/detail/CVE-2025-11201
https://github.com/B-Step62/mlflow/commit/2e02bc7bb70df243e6eb792689d9b8eba0013161
https://github.com/mlflow/mlflow/commit/5f98ff98659dddb188591ecf6b10a4e276a0dba7

Related advisories

CVE-2026-2611 — critical · PyPI/mlflow
CVE-2026-0545 — critical · PyPI/mlflow
CVE-2026-0596 — critical · PyPI/mlflow
CVE-2025-15379 — critical · PyPI/mlflow
CVE-2025-15036 — critical · PyPI/mlflow
CVE-2026-2635 — critical · PyPI/mlflow
CVE-2026-4137 — high · PyPI/mlflow
CVE-2026-2652 — high · PyPI/mlflow

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.