api-python-bet-project (>=0.1.9 <=0.1.22), argosml (>=0.0.1 <=0.1.3) +69 more potentially affected by CVE-2025-1473 via mlflow (>=2.0.0rc0 <=2.20.1)

mlflow PYPI version =2.0.0rc0, =0.1.9, =0.0.1, =1.0.4, =0.1.3, =1.2.0, =0.1.0, =0.0.10, =0.8.0, =0.0.10, =0.1.2370984012, =0.0.41, =1.6.0, =1.8.2 and more Source cves: CVE-2025-1473 Source advisory: SNYK:PYTHON-MLFLOW-9486736...

a2 (>=0.1.0 <=0.3.17), agentos (>=0.0.5 <=0.0.7) +190 more potentially affected by CVE-2025-1474 via mlflow (>=0.8.2 <=2.18.0)

mlflow PYPI version =0.8.2, =0.1.0, =0.0.5, =0.0.1, =0.1.2, =1.0.18.2, =0.0.1, =1.0.41, =1.4.0, =0.2.5, =0.1.3, =3.0.0, =3.3.0 and more Source cves: CVE-2025-1474 Source advisory: OSV:GHSA-4RJ2-9GCX-5QHX...

api-python-bet-project (>=0.1.9 <=0.1.22), argosml (>=0.0.1 <=0.1.3) +34 more potentially affected by CVE-2025-1473 via mlflow (>=2.17.0 <=2.20.2)

mlflow PYPI version =2.17.0, =0.1.9, =0.0.1, =1.0.6, =1.9.23, =0.1.0, =0.0.10, =1.1.5, =0.1.2370984012, =1.6.0, =0.14.0, =0.14.0, =0.14.0, =0.1.1, =0.1.2 and more Source cves: CVE-2025-1473 Source advisory: OSV:GHSA-969W-GQQR-G6J3...

MLflow Cross-Site Request Forgery (CSRF) vulnerability

A Cross-Site Request Forgery CSRF vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be used to perform unauthorized actions on behalf of the malicious user...

MLflow has Weak Password Requirements

In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user accou...

GHSA-969W-GQQR-G6J3 MLflow Cross-Site Request Forgery (CSRF) vulnerability

A Cross-Site Request Forgery CSRF vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be used to perform unauthorized actions on behalf of the malicious user...

GHSA-4RJ2-9GCX-5QHX MLflow has Weak Password Requirements

In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user accou...

abadpour (>=6.13.1 <=7.24.1), abcli (>=9.273.1 <=9.572.1) +667 more potentially affected by CVE-2025-0453 via mlflow (>=3.0.0rc2 <=3.1.0rc0)

mlflow PYPI version =3.0.0rc2, =6.13.1, =9.273.1, =2.0.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.1.0, =1.0.0, =0.1.0, =0.20.9, =0.21.10 and more Source cves: CVE-2025-0453 Source advisory: SNYK:PYTHON-MLFLOW-9510841...

a2 (>=0.1.0 <=0.3.17), agentos (>=0.0.5 <=0.0.7) +189 more potentially affected by CVE-2025-0453 via mlflow (>=0.8.2 <=2.17.2)

mlflow PYPI version =0.8.2, =0.1.0, =0.0.5, =0.0.1, =0.1.2, =1.0.18.2, =0.0.1, =1.0.41, =1.4.0, =0.2.5, =0.1.3, =3.0.0, =3.3.0 and more Source cves: CVE-2025-0453 Source advisory: OSV:GHSA-49M6-VRR9-2CQM...

Allocation of Resources Without Limits or Throttling

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in handlers.p...

GHSA-49M6-VRR9-2CQM MLflow Uncontrolled Resource Consumption vulnerability

In mlflow/mlflow version 2.17.2, the /graphql endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to...

MLflow Uncontrolled Resource Consumption vulnerability

In mlflow/mlflow version 2.17.2, the /graphql endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to...

a2 (>=0.1.0 <=0.3.17), agentos (>=0.0.5 <=0.0.7) +182 more potentially affected by CVE-2024-8859 via mlflow (>=0.8.2 <=2.17.0)

mlflow PYPI version =0.8.2, =0.1.0, =0.0.5, =0.1.2, =1.0.18.2, =0.0.1, =1.0.41, =1.4.0, =0.2.5, =0.1.3, =3.0.0, =0.1.0, =0.2.0, =0.2.4 and more Source cves: CVE-2024-8859 Source advisory: OSV:GHSA-4RQF-8PFM-P36R...

MLflow has a Local File Read/Path Traversal in dbfs

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while...

GHSA-4RQF-8PFM-P36R MLflow has a Local File Read/Path Traversal in dbfs

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while...

ado-sfttrainer (>=1.0.1 <=1.8.0), aim-mlflow (>=0.1.0 <=0.2.1) +27 more potentially affected by CVE-2024-8769 via aim (>=3.17.4 <=4.0.3)

aim PYPI version =3.17.4, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =4.46.1, =0.0.1, =0.0.3, =0.0.1, =1.1.5, =0.1.1, =0.22.0, =0.0.1, =0.0.1, =2.0.1, =2.0.7 and more Source cves: CVE-2024-8769 Source advisory: SNYK:PYTHON-AIM-9510955...

a2 (>=0.1.0 <=0.3.17), agentos (>=0.0.5 <=0.0.7) +170 more potentially affected by CVE-2024-6838 via mlflow (>=0.8.2 <=2.13.2)

mlflow PYPI version =0.8.2, =0.1.0, =0.0.5, =0.1.2, =1.0.18.2, =0.0.1, =1.0.41, =1.4.0, =0.2.5, =0.1.3, =3.0.0, =0.1.0, =0.2.0, =0.3.5, =0.3.8 and more Source cves: CVE-2024-6838 Source advisory: OSV:GHSA-Q3GW-8236-5JW4...

api-python-bet-project (>=0.1.9 <=0.1.22), argosml (>=0.0.1 <=0.1.3) +74 more potentially affected by CVE-2024-6838 via mlflow (>=2.0.0rc0 <=2.20.4)

mlflow PYPI version =2.0.0rc0, =0.1.9, =0.0.1, =1.0.4, =0.1.3, =1.2.0, =0.1.0, =0.0.10, =0.8.0, =0.0.10, =0.1.2370984012, =0.0.41, =0.0.97 and more Source cves: CVE-2024-6838 Source advisory: SNYK:PYTHON-MLFLOW-9510934...

Missing Input Length Validation

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Missing Input Length Validation in the experimentname - passed to...

GHSA-Q3GW-8236-5JW4 MLflow Uncontrolled Resource Consumption vulnerability

In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in its name due to the lack of a limit on the experiment name. This can cause the MLflow UI panel to become unresponsive, leading to a potential denial of...