GHSA-qpgc-w4mg-6v92
GitHub Security Advisory
MLflow's excessive directory permissions allow local privilege escalation
✓ GitHub Reviewed
HIGH
Has CVE
Advisory Details
Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called.
Affected Packages
PyPI
mlflow
Affected versions:
0
(fixed in 2.16.0)
Related CVEs
Key Information
7.5
/10
Dataset
Last updated: July 27, 2025 6:35 AM
Data from GitHub Advisory Database. This information is provided for research and educational purposes.