CVE-2023-6831

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2...

CVE-2023-2780

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.3.1...

CVE-2023-43472

An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API...

CVE-2025-47278 vulnerabilities

Vulnerabilities for packages: airflow, kubeflow-volumes-web-app, kubeflow-jupyter-web-app, emissary, mlflow...

GHSA-4GRG-W6V8-C28G vulnerabilities

Vulnerabilities for packages: airflow, kubeflow-volumes-web-app, kubeflow-jupyter-web-app, emissary, mlflow...

GHSA-4GRG-W6V8-C28G vulnerabilities

Vulnerabilities for packages: kubeflow-volumes-web-app, airflow, pgadmin4, nemo, airflow-core, mlflow, kubeflow-jupyter-web-app, emissary...

CVE-2025-47278 vulnerabilities

Vulnerabilities for packages: kubeflow-volumes-web-app, airflow, pgadmin4, nemo, airflow-core, mlflow, kubeflow-jupyter-web-app, emissary...

Exploit for Path Traversal in Lfprojects Mlflow

MLflow CVE-2023-1177 - PoC & Reproduce Repo này chứa mã khai...

BIT-MLFLOW-2025-0453 Denial of Service through Batched Queries in GraphQL in mlflow/mlflow

In mlflow/mlflow version 2.17.2, the /graphql endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to...

BIT-MLFLOW-2024-6838 Uncontrolled Resource Consumption in mlflow/mlflow

In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in its name due to the lack of a limit on the experiment name. This can cause the MLflow UI panel to become unresponsive, leading to a potential denial of...

Unauthorized Account Access

mlflow is vulnerable to Unauthorized Account Access. The vulnerability is due to improper user account management during the account creation process or lack of a mandatory password requirement, allows accounts to be created without authentication credentials...

Cross-Site Request Forgery (CSRF)

mlflow is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to lack of proper protection mechanisms in the Signup feature, allowing an attacker to craft malicious requests to create an account and perform unauthorized actions...

Relative Path Traversal

mlflow is vulnerable to Relative Path Traversal. The vulnerability is due to improper URL handling due to the dbfs service concatenating URLs directly into the file protocol, allowing arbitrary file reads when the service is mounted to a local directory...

CVE-2025-1473

A Cross-Site Request Forgery CSRF vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be used to perform unauthorized actions on behalf of the malicious user...

CVE-2025-0453

In mlflow/mlflow version 2.17.2, the /graphql endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to...

CVE-2024-6838

In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in its name due to the lack of a limit on the experiment name. This can cause the MLflow UI panel to become unresponsive, leading to a potential denial of...

CVE-2024-8859

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while...

Weak Password Requirements

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Weak Password Requirements due to the lack of enforcement on...

api-python-bet-project (>=0.1.9 <=0.1.22), argosml (>=0.0.1 <=0.1.3) +61 more potentially affected by CVE-2025-1474 via mlflow (>=2.0.0rc0 <=2.19.0)

mlflow PYPI version =2.0.0rc0, =0.1.9, =0.0.1, =0.1.3, =1.2.0, =0.8.0, =0.0.10, =0.1.2370984012, =0.0.41, =1.6.0, =0.14.0, =0.14.0, =0.14.2b0 and more Source cves: CVE-2025-1474 Source advisory: SNYK:PYTHON-MLFLOW-9486737...

Cross-site Request Forgery (CSRF)

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF through the Signup feature. An...