SAI Security Advisory

Remote Code Execution on Local System via MLproject YAML File

June 4, 2024

Products Impacted

This vulnerability was introduced in version 1.11.0 of MLflow.

CVSS Score: 8.8

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE Categorization

CWE-94: Improper Control of Generation of Code (‘Code Injection’).

Details

The vulnerability exists within the ML Project run procedure in the  _run_entry_point function, within the projects/backend/local.py file.

def _run_entry_point(command, work_dir, experiment_id, run_id):
	...
	if os.name != "nt":
    		process = subprocess.Popen(["bash", "-c", command], close_fds=True, cwd=work_dir, env=env)
	else:
    		process = subprocess.Popen(["cmd", "/c", command], close_fds=True, cwd=work_dir, env=env)

An attacker can exploit this by creating an MLflow Project where the MLproject main entrypoint command contains arbitrary code (or an operating system appropriate command). The attacker could share this project with a victim, and when the victim runs mlflow run. from within the recipe directory, the code will be executed on the victim machine.

An example MLproject file:

name: RecipeTestingProject

conda_env: conda.yaml

entry_points:
	main:
    		command: "python -c 'import os; os.system(\"ping -c 4 8.8.8.8\")'"

Related SAI Security Advisory

CVE-2025-62354

November 26, 2025

Allowlist Bypass in Run Terminal Tool Allows Arbitrary Code Execution During Autorun Mode

Cursor

When in autorun mode with the secure ‘Follow Allowlist’ setting, Cursor checks commands sent to run in the terminal by the agent to see if a command has been specifically allowed. The function that checks the command has a bypass to its logic, allowing an attacker to craft a command that will execute non-whitelisted commands.

November 2025
SAI-ADV-2025-012

October 17, 2025

Data Exfiltration from Tool-Assisted Setup

Windsurf

Windsurf’s automated tools can execute instructions contained within project files without asking for user permission. This means an attacker can hide instructions within a project file to read and extract sensitive data from project files (such as a .env file) and insert it into web requests for the purposes of exfiltration.

October 2025