MLflow Command Injection Vulnerability in Model Serving Container Initialization

A command injection vulnerability has been identified in MLflow version 3.8.0, specifically within the model serving container initialization code. The issue arises in the '_install_model_dependencies_to_env()' function, where dependency specifications are read from the model artifact's 'python_env.yaml' file and directly interpolated into a shell command without proper sanitization. This vulnerability allows an attacker to execute arbitrary commands on systems deploying the model, particularly when 'env_manager=LOCAL' is used. The flaw is present in versions prior to 3.8.2.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host system where the MLflow model is deployed, with the commands executed under the privileges of the container or process, which is often root.

Reproduction

To reproduce this vulnerability, create a malicious 'python_env.yaml' file that includes a command injection payload, such as a dependency specification that, when processed by MLflow, executes a command and writes a success message to a file. Deploy a model using MLflow with 'env_manager=LOCAL', ensuring that the 'python_env.yaml' file is included in the model artifact. During the deployment, MLflow will execute the injected command, demonstrating the command injection vulnerability.

Remediation

Users can upgrade to MLflow version 3.8.2 or later, where this vulnerability has been fixed.