BIT-mlflow-2024-6838
Denial of Service vulnerability in mlflow (PyPI)

Denial of Service No known exploit

What is BIT-mlflow-2024-6838 About?

This is a Denial of Service vulnerability in MLflow versions up to v2.13.2, caused by a lack of input length validation for experiment names and the `artifact_location` parameter. Exploitation allows attackers to make the MLflow UI unresponsive. It is relatively easy to exploit by providing overly long strings.

Affected Software

mlflow <=2.13.2

Technical Details

MLflow version v2.13.2 and earlier contains a Denial of Service vulnerability stemming from insufficient input validation. Specifically, there is no character limit enforced on the experiment name or the artifact_location parameter when creating or renaming an experiment. An attacker can create an experiment with an extremely long string containing a large number of integers in its name. When the MLflow UI attempts to render or process this malformed experiment name, it can become unresponsive due to the excessive data, leading to a denial of service. The lack of a character limit for artifact_location parameter further contributes to potential resource exhaustion or unexpected behavior, although the primary DoS vector here is the experiment name length.

What is the Impact of BIT-mlflow-2024-6838?

Successful exploitation may allow attackers to disrupt the availability of the MLflow UI, causing it to become unresponsive for legitimate users.

What is the Exploitability of BIT-mlflow-2024-6838?

Exploiting this vulnerability is relatively low complexity, requiring only the ability to create or rename an experiment in MLflow. No specific authentication beyond typical user access to MLflow is required, nor are elevated privileges needed. This is a remote vulnerability, as an attacker can interact with the MLflow API to create a malformed experiment. The primary condition for exploitation is the ability to create new experiments. The likelihood of exploitation is increased in environments where MLflow instances are exposed and user input for experiment names is not adequately validated at an earlier stage.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for BIT-mlflow-2024-6838?

Available Upgrade Options

  • No fixes available

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to BIT-mlflow-2024-6838?

Similar Vulnerabilities: CVE-2023-51449 , CVE-2023-51478 , CVE-2023-49086 , CVE-2023-49085 , CVE-2023-48866

All Rights reserved 2025
Privacy Policy