PyPI package
mlflow
pkg:pypi/mlflow
Vulnerabilities (68)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-8859 | — | < 2.17.0rc0 | 2.17.0rc0 | Mar 20, 2025 | A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is | ||
| CVE-2024-6838 | — | <= 2.13.2 | — | Mar 20, 2025 | In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in its name due to the lack of a limit on the experiment name. This can cause the MLflow UI panel to become unresponsive, leading to a po | ||
| CVE-2024-27134 | — | < 2.16.0 | 2.16.0 | Nov 25, 2024 | Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called. | ||
| CVE-2024-2928 | — | < 2.11.3 | 2.11.3 | Jun 6, 2024 | A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../ | ||
| CVE-2024-0520 | — | < 2.9.0 | 2.9.0 | Jun 6, 2024 | A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command ('Command Injection') within the `mlflow.data.http_dataset_source.py` module. Specifically, when loading a dataset from a sourc | ||
| CVE-2024-3099 | — | < 2.11.3 | 2.11.3 | Jun 6, 2024 | A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw can lead to Denial of Service (DoS) as an authenticated user might not be able to use the intended model, as it will open a differen | ||
| CVE-2024-37061 | — | >= 1.11.0, <= 2.13.1 | — | Jun 4, 2024 | Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run. | ||
| CVE-2024-37060 | — | >= 1.27.0, <= 2.14.1 | — | Jun 4, 2024 | Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run. | ||
| CVE-2024-37059 | — | >= 0.5.0, <= 3.4.0 | — | Jun 4, 2024 | Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with. | ||
| CVE-2024-37058 | — | >= 2.5.0, <= 2.14.1 | — | Jun 4, 2024 | Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with. | ||
| CVE-2024-37057 | — | >= 2.0.0rc0, <= 2.14.1 | — | Jun 4, 2024 | Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with. | ||
| CVE-2024-37056 | — | >= 1.23.0, <= 2.14.1 | — | Jun 4, 2024 | Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with. | ||
| CVE-2024-37055 | — | >= 1.24.0, <= 2.14.1 | — | Jun 4, 2024 | Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmdarima model to run arbitrary code on an end user’s system when interacted with. | ||
| CVE-2024-37054 | — | >= 0.9.0, <= 2.14.1 | — | Jun 4, 2024 | Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with. | ||
| CVE-2024-37053 | — | >= 1.1.0, <= 2.14.1 | — | Jun 4, 2024 | Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with. | ||
| CVE-2024-37052 | — | >= 1.1.0, <= 2.14.1 | — | Jun 4, 2024 | Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with. | ||
| CVE-2024-4263 | — | < 2.10.1 | 2.10.1 | May 16, 2024 | A broken access control vulnerability exists in mlflow/mlflow versions before 2.10.1, where low privilege users with only EDIT permissions on an experiment can delete any artifacts. This issue arises due to the lack of proper validation for DELETE requests by users with EDIT perm | ||
| CVE-2024-3848 | — | >= 2.9.2, < 2.12.1 | 2.12.1 | May 16, 2024 | A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragmen | ||
| CVE-2024-3573 | — | < 2.10.0 | 2.10.0 | Apr 16, 2024 | mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file' schemes, | ||
| CVE-2024-1558 | — | < 2.12.1 | 2.12.1 | Apr 16, 2024 | A path traversal vulnerability exists in the `_create_model_version()` function within `server/handlers.py` of the mlflow/mlflow repository, due to improper validation of the `source` parameter. Attackers can exploit this vulnerability by crafting a `source` parameter that bypass |
- CVE-2024-8859Mar 20, 2025affected < 2.17.0rc0fixed 2.17.0rc0
A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is
- CVE-2024-6838Mar 20, 2025affected <= 2.13.2
In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in its name due to the lack of a limit on the experiment name. This can cause the MLflow UI panel to become unresponsive, leading to a po
- CVE-2024-27134Nov 25, 2024affected < 2.16.0fixed 2.16.0
Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called.
- CVE-2024-2928Jun 6, 2024affected < 2.11.3fixed 2.11.3
A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../
- CVE-2024-0520Jun 6, 2024affected < 2.9.0fixed 2.9.0
A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command ('Command Injection') within the `mlflow.data.http_dataset_source.py` module. Specifically, when loading a dataset from a sourc
- CVE-2024-3099Jun 6, 2024affected < 2.11.3fixed 2.11.3
A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw can lead to Denial of Service (DoS) as an authenticated user might not be able to use the intended model, as it will open a differen
- CVE-2024-37061Jun 4, 2024affected >= 1.11.0, <= 2.13.1
Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run.
- CVE-2024-37060Jun 4, 2024affected >= 1.27.0, <= 2.14.1
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run.
- CVE-2024-37059Jun 4, 2024affected >= 0.5.0, <= 3.4.0
Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with.
- CVE-2024-37058Jun 4, 2024affected >= 2.5.0, <= 2.14.1
Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with.
- CVE-2024-37057Jun 4, 2024affected >= 2.0.0rc0, <= 2.14.1
Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with.
- CVE-2024-37056Jun 4, 2024affected >= 1.23.0, <= 2.14.1
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with.
- CVE-2024-37055Jun 4, 2024affected >= 1.24.0, <= 2.14.1
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmdarima model to run arbitrary code on an end user’s system when interacted with.
- CVE-2024-37054Jun 4, 2024affected >= 0.9.0, <= 2.14.1
Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with.
- CVE-2024-37053Jun 4, 2024affected >= 1.1.0, <= 2.14.1
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.
- CVE-2024-37052Jun 4, 2024affected >= 1.1.0, <= 2.14.1
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.
- CVE-2024-4263May 16, 2024affected < 2.10.1fixed 2.10.1
A broken access control vulnerability exists in mlflow/mlflow versions before 2.10.1, where low privilege users with only EDIT permissions on an experiment can delete any artifacts. This issue arises due to the lack of proper validation for DELETE requests by users with EDIT perm
- CVE-2024-3848May 16, 2024affected >= 2.9.2, < 2.12.1fixed 2.12.1
A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragmen
- CVE-2024-3573Apr 16, 2024affected < 2.10.0fixed 2.10.0
mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file' schemes,
- CVE-2024-1558Apr 16, 2024affected < 2.12.1fixed 2.12.1
A path traversal vulnerability exists in the `_create_model_version()` function within `server/handlers.py` of the mlflow/mlflow repository, due to improper validation of the `source` parameter. Attackers can exploit this vulnerability by crafting a `source` parameter that bypass
Page 2 of 4