PyPI package
zenml
pkg:pypi/zenml
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-8406 | — | >= 0.81.0, < 0.84.2 | 0.84.2 | Oct 5, 2025 | ZenML version 0.83.1 is affected by a path traversal vulnerability in the `PathMaterializer` class. The `load` function uses `is_path_within_directory` to validate files during `data.tar.gz` extraction, which fails to effectively detect symbolic and hard links. This vulnerability | ||
| CVE-2024-9340 | — | < 0.68.0 | 0.68.0 | Mar 20, 2025 | A Denial of Service (DoS) vulnerability in zenml-io/zenml version 0.66.0 allows unauthenticated attackers to cause excessive resource consumption by sending malformed multipart requests with arbitrary characters appended to the end of multipart boundaries. This flaw in the multip | ||
| CVE-2024-4311 | — | < 0.57.0rc2 | 0.57.0rc2 | Nov 14, 2024 | zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to take over the user's account. This vulnerabili | ||
| CVE-2024-5062 | — | >= 0.57.1, < 0.58.0 | 0.58.0 | Jun 30, 2024 | A reflected Cross-Site Scripting (XSS) vulnerability was identified in zenml-io/zenml version 0.57.1. The vulnerability exists due to improper neutralization of input during web page generation, specifically within the survey redirect parameter. This flaw allows an attacker to re | ||
| CVE-2024-4680 | — | <= 0.56.3 | — | Jun 8, 2024 | A vulnerability in zenml-io/zenml version 0.56.3 allows attackers to reuse old session credentials or session IDs due to insufficient session expiration. Specifically, the session does not expire after a password change, enabling an attacker to maintain access to a compromised ac | ||
| CVE-2024-2032 | — | < 0.55.5 | 0.55.5 | Jun 6, 2024 | A race condition vulnerability exists in zenml-io/zenml versions up to and including 0.55.3, which allows for the creation of multiple users with the same username when requests are sent in parallel. This issue was fixed in version 0.55.5. The vulnerability arises due to insuffic | ||
| CVE-2024-2035 | — | < 0.56.2 | 0.56.2 | Jun 6, 2024 | An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the `active` status of user ac | ||
| CVE-2024-2171 | — | < 0.56.2 | 0.56.2 | Jun 6, 2024 | A stored Cross-Site Scripting (XSS) vulnerability was identified in the zenml-io/zenml repository, specifically within the 'logo_url' field. By injecting malicious payloads into this field, an attacker could send harmful messages to other users, potentially compromising their acc | ||
| CVE-2024-2213 | — | < 0.56.3 | 0.56.3 | Jun 6, 2024 | An issue was discovered in zenml-io/zenml versions up to and including 0.55.4. Due to improper authentication mechanisms, an attacker with access to an active user session can change the account password without needing to know the current password. This vulnerability allows for | ||
| CVE-2024-2383 | — | < 0.56.3 | 0.56.3 | Jun 6, 2024 | A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an ifram | ||
| CVE-2024-2083 | — | < 0.55.5 | 0.55.5 | Apr 16, 2024 | A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit this vulnerability by manipulating the 'logs' URI path in the request to fetch arbitrary file content, bypassing intended access rest | ||
| CVE-2024-2260 | — | < 0.56.2 | 0.56.2 | Apr 16, 2024 | A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon logout. This flaw allows an attacker to bypass authentication mechanisms by reusing a victim's JWT token. | ||
| CVE-2024-25723 | — | < 0.42.2 | 0.42.2 | Feb 27, 2024 | ZenML Server in the ZenML machine learning package before 0.46.7 for Python allows remote privilege escalation because the /api/v1/users/{user_name_or_id}/activate REST API endpoint allows access on the basis of a valid username along with a new password in the request body. Thes |
- CVE-2025-8406Oct 5, 2025affected >= 0.81.0, < 0.84.2fixed 0.84.2
ZenML version 0.83.1 is affected by a path traversal vulnerability in the `PathMaterializer` class. The `load` function uses `is_path_within_directory` to validate files during `data.tar.gz` extraction, which fails to effectively detect symbolic and hard links. This vulnerability
- CVE-2024-9340Mar 20, 2025affected < 0.68.0fixed 0.68.0
A Denial of Service (DoS) vulnerability in zenml-io/zenml version 0.66.0 allows unauthenticated attackers to cause excessive resource consumption by sending malformed multipart requests with arbitrary characters appended to the end of multipart boundaries. This flaw in the multip
- CVE-2024-4311Nov 14, 2024affected < 0.57.0rc2fixed 0.57.0rc2
zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to take over the user's account. This vulnerabili
- CVE-2024-5062Jun 30, 2024affected >= 0.57.1, < 0.58.0fixed 0.58.0
A reflected Cross-Site Scripting (XSS) vulnerability was identified in zenml-io/zenml version 0.57.1. The vulnerability exists due to improper neutralization of input during web page generation, specifically within the survey redirect parameter. This flaw allows an attacker to re
- CVE-2024-4680Jun 8, 2024affected <= 0.56.3
A vulnerability in zenml-io/zenml version 0.56.3 allows attackers to reuse old session credentials or session IDs due to insufficient session expiration. Specifically, the session does not expire after a password change, enabling an attacker to maintain access to a compromised ac
- CVE-2024-2032Jun 6, 2024affected < 0.55.5fixed 0.55.5
A race condition vulnerability exists in zenml-io/zenml versions up to and including 0.55.3, which allows for the creation of multiple users with the same username when requests are sent in parallel. This issue was fixed in version 0.55.5. The vulnerability arises due to insuffic
- CVE-2024-2035Jun 6, 2024affected < 0.56.2fixed 0.56.2
An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the `active` status of user ac
- CVE-2024-2171Jun 6, 2024affected < 0.56.2fixed 0.56.2
A stored Cross-Site Scripting (XSS) vulnerability was identified in the zenml-io/zenml repository, specifically within the 'logo_url' field. By injecting malicious payloads into this field, an attacker could send harmful messages to other users, potentially compromising their acc
- CVE-2024-2213Jun 6, 2024affected < 0.56.3fixed 0.56.3
An issue was discovered in zenml-io/zenml versions up to and including 0.55.4. Due to improper authentication mechanisms, an attacker with access to an active user session can change the account password without needing to know the current password. This vulnerability allows for
- CVE-2024-2383Jun 6, 2024affected < 0.56.3fixed 0.56.3
A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an ifram
- CVE-2024-2083Apr 16, 2024affected < 0.55.5fixed 0.55.5
A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit this vulnerability by manipulating the 'logs' URI path in the request to fetch arbitrary file content, bypassing intended access rest
- CVE-2024-2260Apr 16, 2024affected < 0.56.2fixed 0.56.2
A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon logout. This flaw allows an attacker to bypass authentication mechanisms by reusing a victim's JWT token.
- CVE-2024-25723Feb 27, 2024affected < 0.42.2fixed 0.42.2
ZenML Server in the ZenML machine learning package before 0.46.7 for Python allows remote privilege escalation because the /api/v1/users/{user_name_or_id}/activate REST API endpoint allows access on the basis of a valid username along with a new password in the request body. Thes