Insecure Temporary File in mlflow/mlflow


Reported on

Jan 8th 2022


mlflow package is using the deprecated function tempfile.mktemp() which is not secure. Because a different process may create a file with this name in the time between the call to mktemp() and the subsequent attempt to create the file by the first process.


Availability will get affected because of this vulnerability.


Use mkstemp() instead of tempfile.mktemp()

We are processing your report and will contact the mlflow team within 24 hours. 2 years ago
We created a GitHub Issue asking the maintainers to create a 2 years ago
Corey Zumar validated this vulnerability 2 years ago
srikanthprathi has been awarded the disclosure bounty
The fix bounty is now up for grabs
Corey Zumar marked this as fixed in 1.23.1 with commit 61984e 2 years ago
The fix bounty has been dropped has been validated
to join this conversation