GHSA-83FM-W79M-64R5

GHSA-83FM-W79M-64R5 is a critical-severity security vulnerability in mlflow (pip), affecting versions < 2.3.1. It is fixed in 2.3.1.

Summary

Workarounds

If you are using the MLflow open source mlflow server or mlflow ui commands, we strongly recommend limiting who can access your MLflow Model Registry and MLflow Tracking servers using a cloud VPC, an IP allowlist for inbound requests, authentication / authorization middleware, or another access restriction mechanism of your choosing.

If you are using the MLflow open source mlflow server or mlflow ui commands, we also strongly recommend limiting the remote files to which your MLflow Model Registry and MLflow Tracking servers have access. For example, if your MLflow Model Registry or MLflow Tracking server uses cloud-hosted blob storage for MLflow artifacts, make sure to restrict the scope of your server's cloud credentials such that it can only access files and directories related to MLflow.

References

Impact

Users of the MLflow Open Source Project who are hosting the MLflow Model Registry using the mlflow server or mlflow ui commands using an MLflow version older than MLflow 2.3.1 may be vulnerable to a remote file access exploit if they are not limiting who can query their server (for example, by using a cloud VPC, an IP allowlist for inbound requests, or authentication / authorization middleware).

This issue only affects users and integrations that run the mlflow server and mlflow ui commands. Integrations that do not make use of mlflow server or mlflow ui are unaffected; for example, the Databricks Managed MLflow product and MLflow on Azure Machine Learning do not make use of these commands and are not impacted by these vulnerabilities in any way.

The vulnerability is very similar to https://nvd.nist.gov/vuln/detail/CVE-2023-1177, and a separate CVE will be published and updated here shortly.

Affected versions

mlflow (< 2.3.1)

Security releases

mlflow → 2.3.1 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

This vulnerability has been patched in MLflow 2.3.1, which was released to PyPI on April 27th, 2023. If you are using mlflow server or mlflow ui with the MLflow Model Registry, we recommend upgrading to MLflow 2.3.1 as soon as possible.

Frequently Asked Questions

  1. What is GHSA-83FM-W79M-64R5? GHSA-83FM-W79M-64R5 is a critical-severity security vulnerability in mlflow (pip), affecting versions < 2.3.1. It is fixed in 2.3.1.
  2. Which versions of mlflow are affected by GHSA-83FM-W79M-64R5? mlflow (pip) versions < 2.3.1 is affected.
  3. Is there a fix for GHSA-83FM-W79M-64R5? Yes. GHSA-83FM-W79M-64R5 is fixed in 2.3.1. Upgrade to this version or later.
  4. Is GHSA-83FM-W79M-64R5 exploitable, and should I be worried? Whether GHSA-83FM-W79M-64R5 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether GHSA-83FM-W79M-64R5 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix GHSA-83FM-W79M-64R5? Upgrade mlflow to 2.3.1 or later.

Other vulnerabilities in mlflow

Other vulnerabilities in mlflow

Stop the waste.
Protect your environment with Kodem.