BIT-mlflow-2025-52967
Path validation vulnerability in mlflow (PyPI)
What is BIT-mlflow-2025-52967 About?
MLflow versions before 3.1.0 are vulnerable due to a lack of `gateway_path` validation in the `gateway_proxy_handler`. This oversight could allow attackers to bypass intended routing or access restrictions. The ease of exploitation depends on the specific exposure and configuration of the gateway proxy handler.
Affected Software
- mlflow
- <39a419b4ec8fd11b59b3e50ab397042a490f2324
- <2.22.2
- >3.0.0rc0, <3.1.0
- <3.1.0
Technical Details
The gateway_proxy_handler in MLflow versions prior to 3.1.0 lacks proper validation for the gateway_path parameter. This means that if an attacker can manipulate or inject a crafted gateway_path, the handler will process it without adequate security checks. This could lead to a variety of issues, such as directory traversal, arbitrary file access, or bypassing access control mechanisms, depending on how gateway_path is used within the proxy logic. The absence of validation allows an attacker to specify paths that are outside the intended scope.
What is the Impact of BIT-mlflow-2025-52967?
Successful exploitation may allow attackers to bypass access controls, access unauthorized resources or data, or trigger unintended actions via path manipulation.
What is the Exploitability of BIT-mlflow-2025-52967?
Exploitation of this path validation vulnerability would involve crafting a malicious gateway_path and submitting it to the affected gateway_proxy_handler. The complexity of exploitation is low to moderate, dependent on the accessibility of the handler and how thoroughly an attacker can control the path parameter. Depending on the configuration, no authentication might be required if the gateway is exposed publicly. This is typically a remote attack. The primary risk factor is any direct exposure of the MLflow gateway that processes user-controlled gateway_path parameters.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-mlflow-2025-52967?
Available Upgrade Options
- mlflow
- <2.22.2 → Upgrade to 2.22.2
- mlflow
- <39a419b4ec8fd11b59b3e50ab397042a490f2324 → Upgrade to 39a419b4ec8fd11b59b3e50ab397042a490f2324
- mlflow
- <3.1.0 → Upgrade to 3.1.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2025-52.yaml
- https://github.com/mlflow/mlflow/issues/15944
- https://github.com/mlflow/mlflow/issues/15944
- https://github.com/mlflow/mlflow
- https://github.com/mlflow/mlflow/pull/15970
- https://osv.dev/vulnerability/GHSA-wxj7-3fx5-pp9m
- https://github.com/mlflow/mlflow/releases/tag/v2.22.2
- https://osv.dev/vulnerability/PYSEC-2025-52
- https://github.com/mlflow/mlflow/releases/tag/v3.1.0
- https://github.com/mlflow/mlflow/releases/tag/v3.1.0
What are Similar Vulnerabilities to BIT-mlflow-2025-52967?
Similar Vulnerabilities: CVE-2023-45591 , CVE-2023-40156 , CVE-2022-42721 , CVE-2021-43673 , CVE-2020-25656
