CVE-2025-0453 Denial of Service through Batched Queries in GraphQL in mlflow/mlflow

In mlflow/mlflow version 2.17.2, the /graphql endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to...

CVE-2025-1473 CSRF in mlflow/mlflow

A Cross-Site Request Forgery CSRF vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be used to perform unauthorized actions on behalf of the malicious user...

CVE-2025-1473 CSRF in mlflow/mlflow

A Cross-Site Request Forgery CSRF vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be used to perform unauthorized actions on behalf of the malicious user...

CVE-2025-1474 Weak Password Requirements in mlflow/mlflow

In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user accou...

CVE-2025-1474 Weak Password Requirements in mlflow/mlflow

In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user accou...

CVE-2025-1473

In MLflow (mlflow/mlflow), a CSRF vulnerability affects versions 2.17.0 to 2.20.1 in the Signup feature, allowing an attacker to create a new account and potentially perform unauthorized actions on behalf of the attacker’s account. The CVE-2025-1473 entry documents the flaw and its impact as Cros...

CVE-2024-8859

Mlflow/mlflow 2.15.1 contains a path traversal/local file read vulnerability when using the dbfs service: the URL is interpolated into the file protocol with only the path portion validated, enabling reading arbitrary server files when dbfs is mounted locally. Public sources (Nuclei template, OSV...

CVE-2024-8859 Path Traversal in mlflow/mlflow

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while...

CVE-2024-8859 Path Traversal in mlflow/mlflow

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while...

CVE-2024-6838 Uncontrolled Resource Consumption in mlflow/mlflow

In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in its name due to the lack of a limit on the experiment name. This can cause the MLflow UI panel to become unresponsive, leading to a potential denial of...

CVE-2024-6838 Uncontrolled Resource Consumption in mlflow/mlflow

In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in its name due to the lack of a limit on the experiment name. This can cause the MLflow UI panel to become unresponsive, leading to a potential denial of...

CVE-2024-6838

CVE-2024-6838 affects mlflow/mlflow v2.13.2, allowing creation or renaming of an experiment with an unbounded number of integers in the name and no limit on the artifact_location, leading to potential denial of service due to UI unresponsiveness (uncontrolled resource consumption). The vulnerabil...

PT-2025-12167 · Mlflow · Mlflow

Name of the Vulnerable Software and Affected Versions: mlflow/mlflow version v2.13.2 Description: A potential denial of service issue exists due to the lack of a limit on the experiment name, allowing the creation or renaming of an experiment with a large number of integers in its name. This can...

MLflow 安全漏洞

MLflow is an open source platform from MLflow that simplifies machine learning development, including tracking experiments, packaging code into repeatable runs, and sharing and deploying models. A security vulnerability exists in MLflow version v2.13.2, which stems from an unrestricted experiment...

MLflow 跨站请求伪造漏洞

MLflow is an open source platform from MLflow that simplifies machine learning development, including tracking experiments, packaging code into repeatable runs, and sharing and deploying models. A cross-site request forgery vulnerability exists in MLflow versions 2.17.0 through 2.20.1, which stem...

MLflow 安全漏洞

MLflow is an open source platform from MLflow that simplifies machine learning development, including tracking experiments, packaging code into repeatable runs, and sharing and deploying models. A security vulnerability exists in MLflow version 2.15.1, which stems from a misconfiguration of the...

PT-2025-12315 · Mlflow · Mlflow

Name of the Vulnerable Software and Affected Versions: mlflow/mlflow version 2.17.2 Description: The /graphql endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment, tying up all the workers...

PT-2025-12247 · Mlflow · Mlflow

Name of the Vulnerable Software and Affected Versions: mlflow/mlflow version 2.15.1 Description: A path traversal issue exists when users configure and use the dbfs service. The vulnerability arises from directly concatenating the URL into the file protocol, resulting in an arbitrary file read...

MLflow 安全漏洞

MLflow is an open source platform from MLflow that simplifies machine learning development, including tracking experiments, packaging code into repeatable runs, and sharing and deploying models. A security vulnerability exists in MLflow version 2.17.2, which stems from a possible denial-of-servic...

MLflow 安全漏洞

MLflow is an open source platform from MLflow that simplifies machine learning development, including tracking experiments, packaging code into repeatable runs, and sharing and deploying models. A security vulnerability exists in MLflow version 2.18 that stems from the ability for administrators ...