mlflow 2.22.5

Direct Vulnerabilities

Known vulnerabilities in the mlflow package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Access Control Bypass mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Access Control Bypass via the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query. An attacker can access sensitive information, including model names, version descriptions, source URIs, tags, and other metadata, by sending authenticated requests that bypass intended authorization checks. Note: This is only exploitable if basic authentication is enabled and per-model authorization is expected in a multi-tenant environment. How to fix Access Control Bypass? Upgrade `mlflow` to version 3.10.0 or higher.	[,3.10.0)
H Creation of Temporary File With Insecure Permissions mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Creation of Temporary File With Insecure Permissions via the `get_or_create_nfs_tmp_dir()` and `_create_model_downloading_tmp_dir()` functions. An attacker can modify model artifacts by exploiting these permissions, potentially leading to arbitrary code execution when the tampered artifacts are deserialized. This is only exploitable if the environment uses shared NFS mounts with default configurations that allow local users to access these directories. Note: This issue is due to an incomplete fix for CVE-2025-10279. How to fix Creation of Temporary File With Insecure Permissions? Upgrade `mlflow` to version 3.11.0rc1 or higher.	[,3.11.0rc1)
H Authentication Bypass by Primary Weakness mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the `_find_fastapi_validator` function. An attacker can gain unauthorized access to sensitive API endpoints by sending requests to non-`/gateway/` paths when the server is started with authentication enabled and served via uvicorn. This allows actions such as submitting jobs, reading job results, canceling running jobs, and injecting arbitrary trace data without authentication. Note: This is only exploitable if the server is started with the `--app-name basic-auth` flag and served via uvicorn (ASGI). How to fix Authentication Bypass by Primary Weakness? Upgrade `mlflow` to version 3.10.0 or higher.	[,3.10.0)
H Directory Traversal mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Directory Traversal via the `_create_model_version` function. An attacker can access arbitrary files on the server's filesystem by including the `mlflow.prompt.is_prompt` tag in a `CreateModelVersion` request, which bypasses source path validation and allows storage of arbitrary local filesystem paths as the model version source. The `get_model_version_artifact_handler` function subsequently serves files from these paths without verifying the prompt status, enabling unauthorized disclosure of sensitive information. How to fix Directory Traversal? Upgrade `mlflow` to version 3.10.0 or higher.	[,3.10.0)
H Server-side Request Forgery (SSRF) mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in `_validate_webhook_url()`, in `validate.py`. The `_create_webhook` function accepts a user-controlled `url` parameter without validation. An attacker can cause the backend to send HTTP requests to internal services, cloud metadata endpoints, or arbitrary external servers. How to fix Server-side Request Forgery (SSRF)? Upgrade `mlflow` to version 3.10.0 or higher.	[,3.10.0)
M Cross-site Scripting (XSS) mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via unsafe parsing of YAML-based MLmodel artifacts in the web interface. An attacker can execute arbitrary scripts in the context of another user's browser session by uploading a crafted MLmodel file containing malicious payloads, which are triggered when the artifact is viewed in the UI. This can lead to actions such as session hijacking or performing unauthorized operations on behalf of the victim. How to fix Cross-site Scripting (XSS)? Upgrade `mlflow` to version 3.11.0rc1 or higher.	[,3.11.0rc1)
M Missing Authorization mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Missing Authorization due to missing access-control validation in the `AJAX endpoint` used for downloading saved model artifacts. An attacker can gain unauthorized access to model artifacts by directly querying this endpoint without proper permissions. How to fix Missing Authorization? Upgrade `mlflow` to version 3.11.0rc1 or higher.	[,3.11.0rc1)
C Missing Authentication for Critical Function mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the `FastAPI` endpoints under `/ajax-api/3.0/jobs/` when the `basic-auth` app is enabled. An attacker can gain unauthorized access to submit, read, search, and cancel jobs by sending network requests without credentials, potentially leading to remote code execution, data exposure, or denial of service. Note:* This is only exploitable if job execution is enabled (`MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true`) and at least one job function is allowlisted. How to fix Missing Authentication for Critical Function? There is no fixed version for `mlflow`.	[0,)
C Command Injection mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Command Injection when serving models with `enable_mlserver=True` due to unsanitized input being embedded into a shell command. An attacker can execute arbitrary commands by supplying specially crafted model URIs containing shell metacharacters. How to fix Command Injection? Upgrade `mlflow` to version 3.9.0rc0 or higher.	[,3.9.0rc0)
H Exposure of Sensitive System Information to an Unauthorized Control Sphere mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere in the tracing and assessment endpoints. An attacker can access sensitive trace metadata and create unauthorized assessments by authenticating with any user account, even those with no permissions on the experiment. How to fix Exposure of Sensitive System Information to an Unauthorized Control Sphere? Upgrade `mlflow` to version 3.11.0rc1 or higher.	[,3.11.0rc1)
C Arbitrary File Write via Archive Extraction (Zip Slip) mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) via the `extract_archive_to_dir` function. An attacker can overwrite arbitrary files or gain elevated privileges by supplying a crafted tar.gz file containing malicious paths during extraction. This may allow escape from the intended sandbox directory in multi-tenant or shared cluster environments. How to fix Arbitrary File Write via Archive Extraction (Zip Slip)? Upgrade `mlflow` to version 3.9.0rc0 or higher.	[,3.9.0rc0)
H Directory Traversal mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Directory Traversal in the extraction process of tar archives due to improper validation of archive entry paths. An attacker can overwrite arbitrary files on the filesystem by supplying a crafted `tar.gz` file containing directory traversal sequences or absolute paths. How to fix Directory Traversal? Upgrade `mlflow` to version 3.9.0rc0 or higher.	[,3.9.0rc0)
H Command Injection mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Command Injection via the `--container` parameter. An attacker can execute unauthorized commands by supplying specially crafted input that is not properly sanitized. Note: This is only exploitable if the attacker has shell access to the system. How to fix Command Injection? Upgrade `mlflow` to version 3.8.0rc0 or higher.	[,3.8.0rc0)
H Directory Traversal mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Directory Traversal via the '_find_run_root`function in the`FileStore`tracking component. An attacker can access arbitrary files on the server by planting a malicious`meta.yaml` in an artifact folder to redirect artifact URI resolution to sensitive directories. How to fix Directory Traversal? Upgrade `mlflow` to version 3.8.0rc0 or higher.	[,3.8.0rc0)
C Use of Default Credentials mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Use of Default Credentials in the `basic_auth.ini` file. An attacker can gain unauthorized administrative access and execute arbitrary code if the default admin credentials have not been changed. How to fix Use of Default Credentials? A fix was pushed into the `master` branch but not yet published.	[2.3.2,)
H Creation of Temporary File With Insecure Permissions mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Creation of Temporary File With Insecure Permissions in the `get_or_create_tmp_dir()` function in `file_utils.py`. This enables an attacker who can write to `/tmp` to cause the execution of arbitrary `.py` files during environment setup. How to fix Creation of Temporary File With Insecure Permissions? Upgrade `mlflow` to version 3.4.0rc0 or higher.	[,3.4.0rc0)
H Origin Validation Error mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Origin Validation Error in the REST server, accessible via the `experiments/search` endpoint. An attacker can access, modify, or delete sensitive experiment data by tricking a user into visiting a malicious website that issues unauthorized requests to REST endpoints. How to fix Origin Validation Error? Upgrade `mlflow` to version 3.5.0rc0 or higher.	[,3.5.0rc0)
M Symlink Attack mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Symlink Attack due to insufficient validation that artifact paths (after following symlinks) remain inside the configured local artifact directory. An attacker can create an artifact that is a symbolic link pointing to a file outside of the designated artifact repository. How to fix Symlink Attack? Upgrade `mlflow` to version 3.8.0rc0 or higher.	[,3.8.0rc0)
M SQL Injection mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to SQL Injection due to unsafe construction of SQL statements in the `get_execute_function_sql_stmt` function within `mlflow/gateway/uc_function_utils.py`. An attacker can execute arbitrary SQL statements by providing a maliciously crafted Unity Catalog function name or parameter name that is directly interpolated into the SQL query without proper quoting or escaping. Note: Because function names should not be susceptible to attacker influence, exploitation is unlikely; however, the maintainer considered exploitation possible; see comment How to fix SQL Injection? Upgrade `mlflow` to version 3.8.0 or higher.	[,3.8.0)
C Directory Traversal mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Directory Traversal via improper validation of user-supplied paths in the model file paths. An attacker can execute arbitrary code in the context of the service account by supplying crafted path input to perform unauthorized file operations. How to fix Directory Traversal? Upgrade `mlflow` to version 3.0.0 or higher.	[,3.0.0)
M Server-side Request Forgery (SSRF) mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via insufficient validation of the `gateway_path` parameter in the `gateway_proxy_handler` process. An attacker can interact with unintended internal resources by supplying crafted input to bypass access controls. How to fix Server-side Request Forgery (SSRF)? Upgrade `mlflow` to version 3.0.0 or higher.	[,3.0.0)
H Allocation of Resources Without Limits or Throttling mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in `handlers.py`, which is exploitable over the `/graphql` endpoint. An attacker can occupy all available workers and make the server unresponsive to other connections by sending large batches of GraphQL queries that repeatedly request all runs from a given experiment and stay in a pending state. Experiments configured to have a large number of runs are vulnerable. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `mlflow` to version 3.1.1 or higher.	[,3.1.1)
H Deserialization of Untrusted Data mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `load` function in the `BaseCard` class within the `recipes/cards/__init__.py` file. An attacker can execute arbitrary code on the target system by creating an MLProject Recipe containing a malicious pickle file (e.g. `pickle.pkl`) and a python script that calls `BaseCard.load(pickle.pkl)`. The pickle file will be deserialized when the project is run. Note: If you are not running MLflow on a publicly accessible server, this vulnerability won't apply to you. How to fix Deserialization of Untrusted Data? There is no fixed version for `mlflow`.	[1.27.0,)
H Deserialization of Untrusted Data mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `_load_model` function in the `mlflow/pytorch/__init__.py` file. An attacker can execute arbitrary code on the victim's system by injecting a malicious pickle object into a PyFunc model which will then be deserialized when the model is loaded. How to fix Deserialization of Untrusted Data? There is no fixed version for `mlflow`.	[0.5.0,)
H Improper Control of Generation of Code ('Code Injection') mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') via the `_run_entry_point` function in the `projects/backend/local.py` file. An attacker can execute arbitrary code on the victim's system by submitting a maliciously crafted MLproject file. How to fix Improper Control of Generation of Code ('Code Injection')? There is no fixed version for `mlflow`.	[1.11.0,)
H Deserialization of Untrusted Data mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `_load_from_pickle` function in the `mlflow/langchain/utils.py` file. An attacker can execute arbitrary code on the victim's system by injecting a malicious pickle object into a PyFunc model which will then be deserialized when the model is loaded. How to fix Deserialization of Untrusted Data? There is no fixed version for `mlflow`.	[2.5.0,)
H Deserialization of Untrusted Data mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `_load_custom_objects` function in the `mlflow/tensorflow/__init__.py` file. An attacker can execute arbitrary code on the victim's system by injecting a malicious pickle object into a PyFunc model which will then be deserialized when the model is loaded. How to fix Deserialization of Untrusted Data? There is no fixed version for `mlflow`.	[2.0.0rc0,)
H Deserialization of Untrusted Data mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `_load_model` function in the `mlflow/lightgbm/__init__.py` file. An attacker can execute arbitrary code on the victim's system by injecting a malicious pickle object into a PyFunc model which will then be deserialized when the model is loaded. How to fix Deserialization of Untrusted Data? There is no fixed version for `mlflow`.	[1.23.0,)
H Deserialization of Untrusted Data mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `_load_model` function in the `pmdarima/__init__.py` file. An attacker can execute arbitrary code on the victim's system by injecting a malicious pickle object into a PyFunc model which will then be deserialized when the model is loaded. How to fix Deserialization of Untrusted Data? There is no fixed version for `mlflow`.	[1.24.0,)
H Deserialization of Untrusted Data mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `_load_model_from_local_file` function in the `sklearn/__init__.py` file. An attacker can execute arbitrary code on the victim's system by injecting a malicious pickle object into a PyFunc model, which will then be deserialized when the model is loaded. How to fix Deserialization of Untrusted Data? There is no fixed version for `mlflow`.	[1.1.0,)
H Deserialization of Untrusted Data mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `_load_pyfunc` function in the `mlflow/pyfunc/model.py` file. An attacker can execute arbitrary code on the victim's system by injecting a malicious pickle object into a PyFunc model which will then be deserialized when the model is loaded. How to fix Deserialization of Untrusted Data? There is no fixed version for `mlflow`.	[0.9.0,)

Vulnerability

Vulnerable Version

Access Control Bypass

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Access Control Bypass via the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query. An attacker can access sensitive information, including model names, version descriptions, source URIs, tags, and other metadata, by sending authenticated requests that bypass intended authorization checks.

Note:

This is only exploitable if basic authentication is enabled and per-model authorization is expected in a multi-tenant environment.

How to fix Access Control Bypass?

Upgrade mlflow to version 3.10.0 or higher.

[,3.10.0)

Creation of Temporary File With Insecure Permissions

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Creation of Temporary File With Insecure Permissions via the get_or_create_nfs_tmp_dir() and _create_model_downloading_tmp_dir() functions. An attacker can modify model artifacts by exploiting these permissions, potentially leading to arbitrary code execution when the tampered artifacts are deserialized. This is only exploitable if the environment uses shared NFS mounts with default configurations that allow local users to access these directories.

Note:

This issue is due to an incomplete fix for CVE-2025-10279.

How to fix Creation of Temporary File With Insecure Permissions?

Upgrade mlflow to version 3.11.0rc1 or higher.

[,3.11.0rc1)

Authentication Bypass by Primary Weakness

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the _find_fastapi_validator function. An attacker can gain unauthorized access to sensitive API endpoints by sending requests to non-/gateway/ paths when the server is started with authentication enabled and served via uvicorn. This allows actions such as submitting jobs, reading job results, canceling running jobs, and injecting arbitrary trace data without authentication.

Note:

This is only exploitable if the server is started with the --app-name basic-auth flag and served via uvicorn (ASGI).

How to fix Authentication Bypass by Primary Weakness?

Upgrade mlflow to version 3.10.0 or higher.

[,3.10.0)

Directory Traversal

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Directory Traversal via the _create_model_version function. An attacker can access arbitrary files on the server's filesystem by including the mlflow.prompt.is_prompt tag in a CreateModelVersion request, which bypasses source path validation and allows storage of arbitrary local filesystem paths as the model version source. The get_model_version_artifact_handler function subsequently serves files from these paths without verifying the prompt status, enabling unauthorized disclosure of sensitive information.

How to fix Directory Traversal?

Upgrade mlflow to version 3.10.0 or higher.

[,3.10.0)

Server-side Request Forgery (SSRF)

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in _validate_webhook_url(), in validate.py. The _create_webhook function accepts a user-controlled url parameter without validation. An attacker can cause the backend to send HTTP requests to internal services, cloud metadata endpoints, or arbitrary external servers.

How to fix Server-side Request Forgery (SSRF)?

Upgrade mlflow to version 3.10.0 or higher.

[,3.10.0)

Cross-site Scripting (XSS)

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via unsafe parsing of YAML-based MLmodel artifacts in the web interface. An attacker can execute arbitrary scripts in the context of another user's browser session by uploading a crafted MLmodel file containing malicious payloads, which are triggered when the artifact is viewed in the UI. This can lead to actions such as session hijacking or performing unauthorized operations on behalf of the victim.

How to fix Cross-site Scripting (XSS)?

Upgrade mlflow to version 3.11.0rc1 or higher.

[,3.11.0rc1)

Missing Authorization

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Missing Authorization due to missing access-control validation in the AJAX endpoint used for downloading saved model artifacts. An attacker can gain unauthorized access to model artifacts by directly querying this endpoint without proper permissions.

How to fix Missing Authorization?

Upgrade mlflow to version 3.11.0rc1 or higher.

[,3.11.0rc1)

Missing Authentication for Critical Function

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the FastAPI endpoints under /ajax-api/3.0/jobs/* when the basic-auth app is enabled. An attacker can gain unauthorized access to submit, read, search, and cancel jobs by sending network requests without credentials, potentially leading to remote code execution, data exposure, or denial of service.

Note:

This is only exploitable if job execution is enabled (MLFLOW_SERVER_ENABLE_JOB_EXECUTION=true) and at least one job function is allowlisted.

How to fix Missing Authentication for Critical Function?

There is no fixed version for mlflow.

[0,)

Command Injection

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Command Injection when serving models with enable_mlserver=True due to unsanitized input being embedded into a shell command. An attacker can execute arbitrary commands by supplying specially crafted model URIs containing shell metacharacters.

How to fix Command Injection?

Upgrade mlflow to version 3.9.0rc0 or higher.

[,3.9.0rc0)

Exposure of Sensitive System Information to an Unauthorized Control Sphere

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere in the tracing and assessment endpoints. An attacker can access sensitive trace metadata and create unauthorized assessments by authenticating with any user account, even those with no permissions on the experiment.

How to fix Exposure of Sensitive System Information to an Unauthorized Control Sphere?

Upgrade mlflow to version 3.11.0rc1 or higher.

[,3.11.0rc1)

Arbitrary File Write via Archive Extraction (Zip Slip)

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) via the extract_archive_to_dir function. An attacker can overwrite arbitrary files or gain elevated privileges by supplying a crafted tar.gz file containing malicious paths during extraction. This may allow escape from the intended sandbox directory in multi-tenant or shared cluster environments.

How to fix Arbitrary File Write via Archive Extraction (Zip Slip)?

Upgrade mlflow to version 3.9.0rc0 or higher.

[,3.9.0rc0)

Directory Traversal

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Directory Traversal in the extraction process of tar archives due to improper validation of archive entry paths. An attacker can overwrite arbitrary files on the filesystem by supplying a crafted tar.gz file containing directory traversal sequences or absolute paths.

How to fix Directory Traversal?

Upgrade mlflow to version 3.9.0rc0 or higher.

[,3.9.0rc0)

Command Injection

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Command Injection via the --container parameter. An attacker can execute unauthorized commands by supplying specially crafted input that is not properly sanitized.

Note:

This is only exploitable if the attacker has shell access to the system.

How to fix Command Injection?

Upgrade mlflow to version 3.8.0rc0 or higher.

[,3.8.0rc0)

Directory Traversal

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Directory Traversal via the '_find_run_rootfunction in theFileStoretracking component. An attacker can access arbitrary files on the server by planting a maliciousmeta.yaml` in an artifact folder to redirect artifact URI resolution to sensitive directories.

How to fix Directory Traversal?

Upgrade mlflow to version 3.8.0rc0 or higher.

[,3.8.0rc0)

Use of Default Credentials

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Use of Default Credentials in the basic_auth.ini file. An attacker can gain unauthorized administrative access and execute arbitrary code if the default admin credentials have not been changed.

How to fix Use of Default Credentials?

A fix was pushed into the master branch but not yet published.

[2.3.2,)

Creation of Temporary File With Insecure Permissions

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Creation of Temporary File With Insecure Permissions in the get_or_create_tmp_dir() function in file_utils.py. This enables an attacker who can write to /tmp to cause the execution of arbitrary .py files during environment setup.

How to fix Creation of Temporary File With Insecure Permissions?

Upgrade mlflow to version 3.4.0rc0 or higher.

[,3.4.0rc0)

Origin Validation Error

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Origin Validation Error in the REST server, accessible via the experiments/search endpoint. An attacker can access, modify, or delete sensitive experiment data by tricking a user into visiting a malicious website that issues unauthorized requests to REST endpoints.

How to fix Origin Validation Error?

Upgrade mlflow to version 3.5.0rc0 or higher.

[,3.5.0rc0)

Symlink Attack

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Symlink Attack due to insufficient validation that artifact paths (after following symlinks) remain inside the configured local artifact directory. An attacker can create an artifact that is a symbolic link pointing to a file outside of the designated artifact repository.

How to fix Symlink Attack?

Upgrade mlflow to version 3.8.0rc0 or higher.

[,3.8.0rc0)

SQL Injection

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to SQL Injection due to unsafe construction of SQL statements in the get_execute_function_sql_stmt function within mlflow/gateway/uc_function_utils.py. An attacker can execute arbitrary SQL statements by providing a maliciously crafted Unity Catalog function name or parameter name that is directly interpolated into the SQL query without proper quoting or escaping.

Note: Because function names should not be susceptible to attacker influence, exploitation is unlikely; however, the maintainer considered exploitation possible; see comment

How to fix SQL Injection?

Upgrade mlflow to version 3.8.0 or higher.

[,3.8.0)

Directory Traversal

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Directory Traversal via improper validation of user-supplied paths in the model file paths. An attacker can execute arbitrary code in the context of the service account by supplying crafted path input to perform unauthorized file operations.

How to fix Directory Traversal?

Upgrade mlflow to version 3.0.0 or higher.

[,3.0.0)

Server-side Request Forgery (SSRF)

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via insufficient validation of the gateway_path parameter in the gateway_proxy_handler process. An attacker can interact with unintended internal resources by supplying crafted input to bypass access controls.

How to fix Server-side Request Forgery (SSRF)?

Upgrade mlflow to version 3.0.0 or higher.

[,3.0.0)

Allocation of Resources Without Limits or Throttling

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in handlers.py, which is exploitable over the /graphql endpoint. An attacker can occupy all available workers and make the server unresponsive to other connections by sending large batches of GraphQL queries that repeatedly request all runs from a given experiment and stay in a pending state. Experiments configured to have a large number of runs are vulnerable.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade mlflow to version 3.1.1 or higher.

[,3.1.1)

Deserialization of Untrusted Data

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the load function in the BaseCard class within the recipes/cards/__init__.py file. An attacker can execute arbitrary code on the target system by creating an MLProject Recipe containing a malicious pickle file (e.g. pickle.pkl) and a python script that calls BaseCard.load(pickle.pkl). The pickle file will be deserialized when the project is run.

Note:

If you are not running MLflow on a publicly accessible server, this vulnerability won't apply to you.

How to fix Deserialization of Untrusted Data?

There is no fixed version for mlflow.

[1.27.0,)

Deserialization of Untrusted Data

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the _load_model function in the mlflow/pytorch/__init__.py file. An attacker can execute arbitrary code on the victim's system by injecting a malicious pickle object into a PyFunc model which will then be deserialized when the model is loaded.

How to fix Deserialization of Untrusted Data?

There is no fixed version for mlflow.

[0.5.0,)

Improper Control of Generation of Code ('Code Injection')

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') via the _run_entry_point function in the projects/backend/local.py file. An attacker can execute arbitrary code on the victim's system by submitting a maliciously crafted MLproject file.

How to fix Improper Control of Generation of Code ('Code Injection')?

There is no fixed version for mlflow.

[1.11.0,)

Deserialization of Untrusted Data

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the _load_from_pickle function in the mlflow/langchain/utils.py file. An attacker can execute arbitrary code on the victim's system by injecting a malicious pickle object into a PyFunc model which will then be deserialized when the model is loaded.

How to fix Deserialization of Untrusted Data?

There is no fixed version for mlflow.

[2.5.0,)

Deserialization of Untrusted Data

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the _load_custom_objects function in the mlflow/tensorflow/__init__.py file. An attacker can execute arbitrary code on the victim's system by injecting a malicious pickle object into a PyFunc model which will then be deserialized when the model is loaded.

How to fix Deserialization of Untrusted Data?

There is no fixed version for mlflow.

[2.0.0rc0,)

Deserialization of Untrusted Data

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the _load_model function in the mlflow/lightgbm/__init__.py file. An attacker can execute arbitrary code on the victim's system by injecting a malicious pickle object into a PyFunc model which will then be deserialized when the model is loaded.

How to fix Deserialization of Untrusted Data?

There is no fixed version for mlflow.

[1.23.0,)

Deserialization of Untrusted Data

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the _load_model function in the pmdarima/__init__.py file. An attacker can execute arbitrary code on the victim's system by injecting a malicious pickle object into a PyFunc model which will then be deserialized when the model is loaded.

How to fix Deserialization of Untrusted Data?

There is no fixed version for mlflow.

[1.24.0,)

Deserialization of Untrusted Data

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the _load_model_from_local_file function in the sklearn/__init__.py file. An attacker can execute arbitrary code on the victim's system by injecting a malicious pickle object into a PyFunc model, which will then be deserialized when the model is loaded.

How to fix Deserialization of Untrusted Data?

There is no fixed version for mlflow.

[1.1.0,)

Deserialization of Untrusted Data

mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the _load_pyfunc function in the mlflow/pyfunc/model.py file. An attacker can execute arbitrary code on the victim's system by injecting a malicious pickle object into a PyFunc model which will then be deserialized when the model is loaded.

How to fix Deserialization of Untrusted Data?

There is no fixed version for mlflow.

[0.9.0,)

mlflow@2.22.5

MLflow is an open source platform for the complete machine learning lifecycle

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically