BIT-mlflow-2024-3099
Denial of Service vulnerability in mlflow (PyPI)

Denial of Service No known exploit

What is BIT-mlflow-2024-3099 About?

This vulnerability in MLflow allows attackers to create multiple models with the same name using URL encoding, leading to Denial of Service (DoS) and potential data model poisoning. An authenticated user might use the wrong model, making it moderately easy to exploit if an attacker has login access to MLflow. The core issue is inadequate validation of model names.

Affected Software

mlflow <2.11.3

Technical Details

The vulnerability in MLflow (mlflow/mlflow version 2.11.1) stems from insufficient validation of model names. Specifically, the system processes URL-encoded model names as distinct entities from their URL-decoded counterparts. This allows an attacker, after authenticating, to create multiple 'logically' identical model names by using different URL encodings (e.g., 'model_A' and 'model%5FA'). When a user attempts to interact with 'model_A', the system might unpredictably pick one of the several identically-named but differently-encoded models. This leads to a Denial of Service, as the intended model might not be consistently accessed. Furthermore, an attacker can exploit this by creating a 'poisoned' model with an URL-encoded name that resolves identically to a legitimate model's name, causing an authenticated user to inadvertently use the malicious model, leading to data model poisoning.

What is the Impact of BIT-mlflow-2024-3099?

Successful exploitation may allow attackers to cause a Denial of Service, preventing legitimate users from accessing intended models, and to perform data model poisoning, leading to incorrect predictions or manipulation of data processes.

What is the Exploitability of BIT-mlflow-2024-3099?

Exploitation requires an authenticated attacker to create models with URL-encoded names. The complexity is moderate, as it requires an understanding of how MLflow handles model naming and URL encoding. Authentication is required, meaning an attacker needs valid credentials to access the MLflow instance. While the impact is on the MLflow system itself, the attack is initiated remotely by an authenticated user. There are no special conditions beyond the attacker having the ability to create models. The primary risk factor is the lack of strict name validation during model creation, allowing for ambiguous model identification.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for BIT-mlflow-2024-3099?

Available Upgrade Options

  • mlflow
    • <2.11.3 → Upgrade to 2.11.3

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to BIT-mlflow-2024-3099?

Similar Vulnerabilities: CVE-2023-45803 , CVE-2022-41903 , CVE-2021-30467 , CVE-2020-1938 , CVE-2019-17482

All Rights reserved 2025
Privacy Policy