{"data":{"id":"62a5714a-58e4-44df-99e5-40f40f77b5c2","title":"CVE-2025-11201: MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows","summary":"MLflow Tracking Server contains a directory traversal (a vulnerability where an attacker uses special path characters like '../' to access files outside the intended directory) vulnerability that allows unauthenticated attackers to execute arbitrary code on the server. The flaw stems from insufficient validation of file paths when handling model creation, letting attackers run commands with the privileges of the service account running MLflow.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-11201","publishedAt":"2025-10-30T00:15:35.680Z","cveId":"CVE-2025-11201","cweIds":["CWE-22"],"cvssScore":"9.8","cvssSeverity":"critical","severity":"critical","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["MLflow"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.09099,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-126"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}