CVE-2025-1474 Weak Password Requirements in mlflow/mlflow

In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user accou...

CVE-2025-1474 Weak Password Requirements in mlflow/mlflow

In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user accou...

CVE-2025-1473

In MLflow (mlflow/mlflow), a CSRF vulnerability affects versions 2.17.0 to 2.20.1 in the Signup feature, allowing an attacker to create a new account and potentially perform unauthorized actions on behalf of the attacker’s account. The CVE-2025-1473 entry documents the flaw and its impact as Cros...

CVE-2024-8859 Path Traversal in mlflow/mlflow

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while...

CVE-2024-8859 Path Traversal in mlflow/mlflow

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while...

CVE-2024-8859

Mlflow/mlflow 2.15.1 contains a path traversal/local file read vulnerability when using the dbfs service: the URL is interpolated into the file protocol with only the path portion validated, enabling reading arbitrary server files when dbfs is mounted locally. Public sources (Nuclei template, OSV...

CVE-2024-6838 Uncontrolled Resource Consumption in mlflow/mlflow

In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in its name due to the lack of a limit on the experiment name. This can cause the MLflow UI panel to become unresponsive, leading to a potential denial of...

CVE-2024-6838

CVE-2024-6838 affects mlflow/mlflow v2.13.2, allowing creation or renaming of an experiment with an unbounded number of integers in the name and no limit on the artifact_location, leading to potential denial of service due to UI unresponsiveness (uncontrolled resource consumption). The vulnerabil...

CVE-2024-6838 Uncontrolled Resource Consumption in mlflow/mlflow

In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in its name due to the lack of a limit on the experiment name. This can cause the MLflow UI panel to become unresponsive, leading to a potential denial of...

PT-2025-12315 · Mlflow · Mlflow

Name of the Vulnerable Software and Affected Versions: mlflow/mlflow version 2.17.2 Description: The /graphql endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment, tying up all the workers...

MLflow 跨站请求伪造漏洞

MLflow is an open source platform from MLflow that simplifies machine learning development, including tracking experiments, packaging code into repeatable runs, and sharing and deploying models. A cross-site request forgery vulnerability exists in MLflow versions 2.17.0 through 2.20.1, which stem...

MLflow 安全漏洞

MLflow is an open source platform from MLflow that simplifies machine learning development, including tracking experiments, packaging code into repeatable runs, and sharing and deploying models. A security vulnerability exists in MLflow version 2.17.2, which stems from a possible denial-of-servic...

MLflow 安全漏洞

MLflow is an open source platform from MLflow that simplifies machine learning development, including tracking experiments, packaging code into repeatable runs, and sharing and deploying models. A security vulnerability exists in MLflow version 2.15.1, which stems from a misconfiguration of the...

MLflow 安全漏洞

MLflow is an open source platform from MLflow that simplifies machine learning development, including tracking experiments, packaging code into repeatable runs, and sharing and deploying models. A security vulnerability exists in MLflow version v2.13.2, which stems from an unrestricted experiment...

MLflow 安全漏洞

MLflow is an open source platform from MLflow that simplifies machine learning development, including tracking experiments, packaging code into repeatable runs, and sharing and deploying models. A security vulnerability exists in MLflow version 2.18 that stems from the ability for administrators ...

PT-2025-12247 · Mlflow · Mlflow

Name of the Vulnerable Software and Affected Versions: mlflow/mlflow version 2.15.1 Description: A path traversal issue exists when users configure and use the dbfs service. The vulnerability arises from directly concatenating the URL into the file protocol, resulting in an arbitrary file read...

PT-2025-12167 · Mlflow · Mlflow

Name of the Vulnerable Software and Affected Versions: mlflow/mlflow version v2.13.2 Description: A potential denial of service issue exists due to the lack of a limit on the experiment name, allowing the creation or renaming of an experiment with a large number of integers in its name. This can...

PT-2025-7512 · Mlflow · Mlflow

Name of the Vulnerable Software and Affected Versions: mlflow/mlflow versions 2.17.0 through 2.20.1 Description: A Cross-Site Request Forgery CSRF issue exists in the Signup feature. This allows an attacker to create a new account, which can be used to perform unauthorized actions on behalf of th...

CVE-2024-3848

A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '' character can be used to insert a path into the fragment, effectively...

CVE-2024-3573

mlflow/mlflow is vulnerable to Local File Inclusion LFI due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'islocaluri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the...