Tomu Hirata

**Name of the Vulnerable Software and Affected Versions** MLflow versions prior to 3.9.0 **Description** A Server-Side Request Forgery (SSRF) issue exists where the ` create webhook()` function in `mlflow/server/handlers.py` accepts a user-controlled `url` parameter without validation. Subsequently, the ` send webhook request()` function in `mlflow/webhooks/delivery.py` sends HTTP POST requests to this attacker-controlled URL. This allows an authenticated attacker to force the backend to send HTTP requests to internal services, cloud metadata endpoints, or arbitrary external servers. The lack of input sanitization, URL scheme filtering, or allowlist validation enables potential cloud credential theft, internal network access, and data exfiltration. **Recommendations** Update to version 3.9.0 or later.

**Name of the Vulnerable Software and Affected Versions** mlflow/mlflow versions prior to 3.10.0 **Description** An unauthenticated remote attacker can read arbitrary files from the server's filesystem. The issue occurs in the ` create model version()` handler of `mlflow/server/handlers.py` when a 'CreateModelVersion' request includes the tag `mlflow.prompt.is prompt`, which bypasses source path validation. This allows an attacker to store an arbitrary local filesystem path as the model version source. Subsequently, the `get model version artifact handler()` function uses this source to serve files without verifying the prompt status of the model version. **Recommendations** Update to version 3.10.0.