MLflow Stored XSS via YAML Deserialization and Authorization Bypass

Vulnerability Overview This webpage reveals two critical security vulnerabilities within the MLflow platform: 1. Stored XSS (via YAML Deserialization): The MLflow frontend uses the insecure method (from the library) when parsing model artifacts. Attackers can craft YAML content containing malicious tags. When other users view the artifact, the frontend parser instantiates JavaScript objects and executes the code within them (e.g., triggering an alert). Exploitation Chain: parses an object containing a function -> passed to -> calls for forced conversion -> triggers function execution. 2. Authorization Bypass: MLflow's metadata endpoints and artifact download endpoints utilize different permission check mechanisms. Metadata endpoints are based on protobuf service definitions, whereas artifact download endpoints are implemented as custom Flask routes. Since MLflow's authentication layer is primarily built around protobuf definitions for permission mapping, it may fail to correctly intercept unauthorized requests to artifacts, allowing users to access model artifacts they are not authorized to view. Scope of Impact Environment: All shared deployment environments using MLflow for model management. Attacker: Any user capable of uploading model artifacts. Victim: Any user viewing a model containing a malicious artifact (triggering XSS). Data: Model artifacts (Artifacts) and their metadata. Remediation Plan 1. For the XSS Vulnerability: Replace in the code with . strips support for dangerous YAML tags, preventing the construction of executable objects during deserialization. Note: Although version 3.14.0 defaults to safe mode, remains insecure in 3.x versions. 2. For the Authorization Bypass: Unify the permission check logic for artifact download endpoints to ensure consistency with metadata endpoints. Explicitly add permission checks within the Flask routes to ensure the authentication layer correctly intercepts requests. POC Code The following Proof of Concept (PoC) Python script provided on the webpage is used to construct malicious artifacts:

Goal Reached Thanks to every supporter — we hit 100%!

MLflow Stored XSS via YAML Deserialization and Authorization Bypass