CVE-2025-10952: 
Python vulnerability analysis and mitigation

A security vulnerability (CVE-2025-10952) has been discovered in geyang ml-logger up to version acf255bade5be6ad88d90735c8367b28cbe3a743. The vulnerability affects the streamhandler function in the mllogger/server.py component of the File Handler. The issue was disclosed on September 25, 2025 (NVD).

The vulnerability exists in the stream_handler function where performing manipulation of the argument key can lead to information disclosure. The vulnerability has received a CVSS v4.0 score of 5.5 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P, and a CVSS v3.1 score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-284 (Improper Access Control) (NVD).

The vulnerability allows unauthenticated users to read arbitrary files on the server through the stream_handler function. An attacker can exploit this to access sensitive information stored on the server, as there is no proper verification or filtering of user input parameters (GitHub Issue).

The recommended mitigation strategies include implementing proper access controls, disallowing absolute paths and directory traversal, and restricting file reading to only specified files. Users should update to a version newer than acf255bade5be6ad88d90735c8367b28cbe3a743 once available (GitHub Issue).