1231 matches found
GHSA-G6PG-52VF-843H MLFlow allows Tracing + Assessments Access
In the latest version of mlflow/mlflow, when the basic-auth app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with NOPERMISSIONS on the experiment, to read trace information and create assessments for...
CVE-2025-15381
In the latest version of mlflow/mlflow, when the basic-auth app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with NOPERMISSIONS on the experiment, to read trace information and create assessments for...
CVE-2025-15381 Unauthorized Access to Tracing and Assessment Endpoints in mlflow/mlflow
In the latest version of mlflow/mlflow, when the basic-auth app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with NOPERMISSIONS on the experiment, to read trace information and create assessments for...
CVE-2025-15381
In the latest version of mlflow/mlflow, when the basic-auth app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with NOPERMISSIONS on the experiment, to read trace information and create assessments for...
CVE-2025-15381 Unauthorized Access to Tracing and Assessment Endpoints in mlflow/mlflow
In the latest version of mlflow/mlflow, when the basic-auth app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with NOPERMISSIONS on the experiment, to read trace information and create assessments for...
CVE-2025-15381
Affected software: mlflow/mlflow (deployments using mlflow server --app-name=basic-auth). Vulnerability: When the basic-auth app is enabled, tracing and assessment endpoints are not protected by permission validators, allowing any authenticated user (including those with NO_PERMISSIONS on the exp...
MLflow 信息泄露漏洞
MLFlow is an open-source platform that simplifies machine learning development. It includes features for tracking experiments, packaging code for reproducible runs, and sharing and deploying models. However, MLFlow has a vulnerability related to information leakage. This vulnerability stems from...
PT-2026-28274
In the latest version of mlflow/mlflow, when the basic-auth app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with NO PERMISSIONS on the experiment, to read trace information and create assessments for...
BIT-MLFLOW-2025-15031 Path Traversal Vulnerability in mlflow/mlflow
A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of tarfile.extractall without path validation enables crafted tar.gz files containing .. or absolute paths to escape the intended extractio...
Directory Traversal
Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Directory Traversal in the extraction process of tar archives due ...
a2 (>=0.1.0 <=0.3.17), abadpour (>=6.13.1 <=7.24.1) +948 more potentially affected by CVE-2025-15031 via mlflow (>=0.8.2 <=3.9.0)
mlflow PYPI version =0.8.2, =0.1.0, =6.13.1, =9.273.1, =1.1.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.0.5, =1.0.0, =0.1.0, =1.1.1 - ai-helpers-pytorch-utils =0.1.0a1 - ailine-core =0.5.5 and more Source cves: CVE-2025-15031 Source advisory: OSV:GHSA-FHFF-QMM8-H2FP...
abadpour (>=6.13.1 <=7.24.1), abcli (>=9.273.1 <=9.572.1) +757 more potentially affected by CVE-2025-15031 via mlflow-skinny (>=3.0.0 <=3.9.0)
mlflow-skinny PYPI version =3.0.0, =6.13.1, =9.273.1, =2.0.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.1.0, =1.0.0, =1.1.0, =0.1.0, =0.20.9, =0.21.10 and more Source cves: CVE-2025-15031 Source advisory: SNYK:PYTHON-MLFLOWSKINNY-16698159...
abadpour (>=6.13.1 <=7.24.1), abcli (>=9.273.1 <=9.572.1) +696 more potentially affected by CVE-2025-15031 via mlflow (>=3.0.0rc2 <=3.9.0)
mlflow PYPI version =3.0.0rc2, =6.13.1, =9.273.1, =2.0.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.1.0, =1.0.0, =1.1.0, =0.1.0, =0.20.9, =0.21.10 and more Source cves: CVE-2025-15031 Source advisory: SNYK:PYTHON-MLFLOW-15700505...
GHSA-FHFF-QMM8-H2FP Arbitrary file write via tar traversal in mlflow
A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of tarfile.extractall without path validation enables crafted tar.gz files containing .. or absolute paths to escape the intended extractio...
Arbitrary file write via tar traversal in mlflow
A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of tarfile.extractall without path validation enables crafted tar.gz files containing .. or absolute paths to escape the intended extractio...
CVE-2025-15031
A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of tarfile.extractall without path validation enables crafted tar.gz files containing .. or absolute paths to escape the intended extractio...
CVE-2025-15031 Path Traversal Vulnerability in mlflow/mlflow
A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of tarfile.extractall without path validation enables crafted tar.gz files containing .. or absolute paths to escape the intended extractio...
CVE-2025-15031
A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of tarfile.extractall without path validation enables crafted tar.gz files containing .. or absolute paths to escape the intended extractio...
CVE-2025-15031 Path Traversal Vulnerability in mlflow/mlflow
A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of tarfile.extractall without path validation enables crafted tar.gz files containing .. or absolute paths to escape the intended extractio...
CVE-2025-15031
MLflow is affected by a path-traversal in its pyfunc extraction: tarfile.extractall is used without validating archive paths, allowing crafted tar.gz files to escape the extraction directory via .. or absolute paths. Documents consistently describe potential arbitrary file writes and the risk of ...