CVE-2025-14279

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An...

a2 (>=0.1.0 <=0.3.17), abadpour (>=6.13.1 <=7.24.1) +940 more potentially affected by CVE-2025-14279 via mlflow (>=0.8.2 <=3.4.0)

mlflow PYPI version =0.8.2, =0.1.0, =6.13.1, =9.273.1, =1.1.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.0.5, =1.0.0, =0.1.0, =1.1.1 - ai-helpers-pytorch-utils =0.1.0a1 - ailine-core =0.5.5 and more Source cves: CVE-2025-14279 Source advisory: OSV:GHSA-PGQP-8H46-6X4J...

MLFlow is vulnerable to DNS rebinding attacks due to a lack of Origin header validation

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An...

GHSA-PGQP-8H46-6X4J MLFlow is vulnerable to DNS rebinding attacks due to a lack of Origin header validation

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An...

abadpour (>=6.13.1 <=7.24.1), abcli (>=9.273.1 <=9.572.1) +686 more potentially affected by CVE-2025-14279 via mlflow (>=3.0.0rc2 <=3.5.0)

mlflow PYPI version =3.0.0rc2, =6.13.1, =9.273.1, =2.0.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.1.0, =1.0.0, =0.1.0, =0.20.9, =0.21.10 and more Source cves: CVE-2025-14279 Source advisory: SNYK:PYTHON-MLFLOW-14913775...

Origin Validation Error

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Origin Validation Error in the REST server, accessible via the...

CVE-2025-14279

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An...

CVE-2025-14279

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An...

CVE-2025-14279 DNS Rebinding Vulnerability in mlflow/mlflow

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An...

CVE-2025-14279

The CVE details a DNS rebinding vulnerability in MLflow up to version 3.4.0 caused by lack of Origin header validation in the MLflow REST server. The issue allows an attacker to bypass Same-Origin Policy and issue unauthorized requests to REST endpoints, enabling querying, updating, and deleting ...

CVE-2025-14279 DNS Rebinding Vulnerability in mlflow/mlflow

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An...

PT-2026-1734

Name of the Vulnerable Software and Affected Versions MLFlow versions up to and including 3.4.0 Description MLFlow versions up to and including 3.4.0 are susceptible to DNS rebinding attacks because of missing Origin header validation within the MLFlow REST server. This allows malicious websites ...

MLflow 访问控制错误漏洞

MLflow is an open source platform from MLflow that simplifies machine learning development, including tracking experiments, packaging code into repeatable runs, and sharing and deploying models. An Access Control Error vulnerability exists in MLflow 3.4.0 and prior versions, which stems from a la...

CVE-2023-4033

OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0...

CVE-2022-0736

Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1...

CVE-2025-1474

In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user accou...

CVE-2024-2928

A Local File Inclusion LFI vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can...

CVE-2025-62706 vulnerabilities

Vulnerabilities for packages: mlflow...

CVE-2025-62706 vulnerabilities

Vulnerabilities for packages: mlflow...

abadpour (>=6.13.1 <=7.24.1), abcli (>=9.273.1 <=9.572.1) +694 more potentially affected by unknown CVE via mlflow (>=3.0.0rc2 <=3.6.0rc0)

mlflow PYPI version =3.0.0rc2, =6.13.1, =9.273.1, =2.0.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.1.0, =1.0.0, =0.1.0, =0.20.9, =0.21.10 and more Source cves: unknown CVE Source advisory: SNYK:PYTHON-MLFLOW-14829280...