MLflow Server-Side Request Forgery Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0. The vulnerability arises because the webhook creation function accepts a user-controlled URL parameter without proper validation. This allows authenticated attackers to manipulate outbound HTTP requests from the MLflow backend to internal services, cloud metadata endpoints, or arbitrary external servers. The lack of input sanitization and URL scheme filtering could lead to theft of cloud credentials, unauthorized access to internal networks, and data exfiltration.

Impact

Exploitation of this vulnerability could result in unauthorized access to internal services and cloud metadata endpoints, leading to theft of sensitive data such as cloud credentials. In real-world scenarios, this could allow attackers to compromise entire cloud accounts or access internal corporate networks.

Reproduction

To reproduce this vulnerability, create a webhook with a URL that points to an internal service or cloud metadata endpoint. Once the webhook is created, trigger it through the MLflow interface, which will send a POST request to the specified URL, exploiting the SSRF vulnerability.

Remediation

Users can update to MLflow version 3.10.0 or later, where this vulnerability has been fixed.