Componentpedia / Listings / mlflow / 2.20.3

Last update: 01/07/2025

mlflow

Open source platform for the machine learning lifecycle

Version: 2.20.3 registry icon
Safety score
-120
Check your open source dependency risks. Get immediate insight about security, stability and licensing risks.
De-risk your app now
Security Risks of Known Vulnerabilities
CVE-2024-37058
CWE-502
Threat level: HIGH | CVSS score: 8.8

Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with.


CVE-2024-37052
CWE-502
Threat level: HIGH | CVSS score: 8.8

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.


CVE-2024-37060
CWE-502
Threat level: HIGH | CVSS score: 8.8

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run.


CVE-2025-52967
CWE-918
Threat level: MEDIUM | CVSS score: 5

gateway_proxy_handler in MLflow before 3.1.0 lacks gateway_path validation.


CVE-2024-37056
CWE-502
Threat level: HIGH | CVSS score: 8.8

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with.


CVE-2024-37053
CWE-502
Threat level: HIGH | CVSS score: 8.8

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.


CVE-2024-37057
CWE-502
Threat level: HIGH | CVSS score: 8.8

Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with.


CVE-2024-37061
CWE-94
Threat level: HIGH | CVSS score: 8.8

Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run.


CVE-2024-37055
CWE-502
Threat level: HIGH | CVSS score: 8.8

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmdarima model to run arbitrary code on an end user’s system when interacted with.


CVE-2024-37054
CWE-502
Threat level: HIGH | CVSS score: 8.8

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with.


CVE-2024-37059
CWE-502
Threat level: HIGH | CVSS score: 8.8

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with.


Please note that this component is affected by another vulnerability
0 Critical  |  0 High  |  1 Medium  |  0 Low  |  0 Suggest

All versions of this component are vulnerable.

Scan your application codebase with Meterian to see all known vulnerabilities in your open source software dependencies.


Stability

Stay updated with the latest patches and releases. Plan your sofware desisgn. Avoid common known vulnerabilities fixed by the open source community

Latest patch release:   2.20.4

Latest minor release:   2.22.1

Latest major release:   3.1.1

Licensing

Maintain your licence declarations and avoid unwanted licences to protect your IP the way you intended.

Apache-1.0   -   Apache License 1.0

Not a wildcard

Not proprietary

OSI Compliant