CVE-2025-10951: 
Python vulnerability analysis and mitigation

A path traversal vulnerability has been identified in geyang ml-logger up to version acf255bade5be6ad88d90735c8367b28cbe3a743 (CVE-2025-10951). The vulnerability affects the loghandler function in mllogger/server.py. The issue was discovered on September 11, 2025, and publicly disclosed on September 25, 2025. The vulnerability allows remote attackers to manipulate the File argument to achieve path traversal attacks (VulDB, NVD).

The vulnerability exists in the loghandler function within mllogger/server.py. When handling file uploads, the function does not properly validate or sanitize the file name parameter, allowing for directory traversal attacks. The vulnerability has received a CVSS v3.1 base score of 7.3 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, and a CVSS v4.0 score of 6.9 (MEDIUM) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P (NVD).

The vulnerability allows attackers to write and overwrite any file on the server. This could lead to serious security breaches such as overwriting SSH authorized_keys files or modifying scheduled task files (crontab) to achieve remote code execution through reverse shells. The vulnerability can be exploited remotely without requiring authentication (GitHub Issue).

Security researchers recommend implementing proper file type validation before uploading and preventing the use of path traversal sequences (such as '../') in filenames. The project uses a rolling release approach for continuous delivery, so specific version details for the fix are not yet available (NVD).