multi-model-server v1.1.11 depends on future, which is end-of-life and affected by CVE-2025-50817 (arbitrary code execution via unintended import of test.py). Please remove the dependency or provide a patched release.
Note that model-archiver, another dependency, also pulls in future.
Evidence:
setup.py includes install_requires=['Pillow','psutil','future','model-archiver'].
Minimal repro Dockerfile installs MMS and shows future==1.0.0 present: Dockerfile.txt
Resulting output log, incl. CVE scan flagging the issue: log.txt
Control test: commenting out the MMS install removes future (no other deps present).
Impact:
Any container using MMS directly—or via SageMaker Inference Toolkit, which is built on MMS—inherits the vulnerable future package.
multi-model-server v1.1.11 depends on future, which is end-of-life and affected by CVE-2025-50817 (arbitrary code execution via unintended import of test.py). Please remove the dependency or provide a patched release.
Note that model-archiver, another dependency, also pulls in future.
Evidence:
setup.py includes install_requires=['Pillow','psutil','future','model-archiver'].
Minimal repro Dockerfile installs MMS and shows future==1.0.0 present: Dockerfile.txt
Resulting output log, incl. CVE scan flagging the issue: log.txt
Control test: commenting out the MMS install removes future (no other deps present).
Impact:
Any container using MMS directly—or via SageMaker Inference Toolkit, which is built on MMS—inherits the vulnerable future package.