CVE-2025-10951: 
Python vulnerability analysis and mitigation

A path traversal vulnerability was identified in geyang ml-logger version 0.10.36 and prior, specifically in the loghandler function of mllogger/server.py. The vulnerability allows unauthenticated users to upload and overwrite files on the server through directory traversal. The issue was discovered and disclosed in September 2025 (NVD, VulDB).

The vulnerability exists in the loghandler function within mllogger/server.py, which processes file uploads without proper validation. The function accepts any file upload request and processes it without validating the filename or implementing proper access controls. The vulnerability has received a CVSS v3.1 score of 7.3 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating remote exploitability with no authentication required (NVD).

The vulnerability allows attackers to write and overwrite any file on the server. This could lead to serious security compromises such as overwriting SSH authorized_keys files or modifying scheduled task files (crontab) to achieve remote code execution. The impact extends to potential system compromise and unauthorized access to server resources (GitHub).

Security researchers recommend implementing proper file type validation before upload and preventing the use of directory traversal sequences (such as ../) in filenames. Users should upgrade to a patched version when available or implement strict input validation at the application level (GitHub).