Update dependency mlflow to v3 [SECURITY]

[oep-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
mlflow	==2.21.3 -> ==3.5.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

MLflow Weak Password Requirements Authentication Bypass Vulnerability

BIT-mlflow-2025-11200 / CVE-2025-11200 / GHSA-6xj8-rrqx-r4cv

More information

Details

MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of passwords. The issue results from weak password requirements. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26916.

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-11200
• https://github.com/mlflow/mlflow/commit/1f74f3f24d8273927b8db392c23e108576936c54
• https://github.com/mlflow/mlflow
• https://www.zerodayinitiative.com/advisories/ZDI-25-932

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

MLFlow SSRF via gateway_proxy_handler

BIT-mlflow-2025-52967 / CVE-2025-52967 / GHSA-wxj7-3fx5-pp9m / PYSEC-2025-52

More information

Details

gateway_proxy_handler in MLflow before 3.1.0 lacks gateway_path validation.

Severity

• CVSS Score: 5.8 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-52967
• https://github.com/mlflow/mlflow/issues/15944
• https://github.com/mlflow/mlflow/pull/15970
• https://github.com/mlflow/mlflow
• https://github.com/mlflow/mlflow/releases/tag/v2.22.2
• https://github.com/mlflow/mlflow/releases/tag/v3.1.0
• https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2025-52.yaml

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability

BIT-mlflow-2025-11201 / CVE-2025-11201 / GHSA-5cvj-7rg6-jggj

More information

Details

MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of model file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26921.

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-11201
• https://github.com/B-Step62/mlflow/commit/2e02bc7bb70df243e6eb792689d9b8eba0013161
• https://github.com/mlflow/mlflow/commit/e7dc0574fa3459e0003cfeb68d4e4a625491f03d
• https://github.com/mlflow/mlflow
• https://www.zerodayinitiative.com/advisories/ZDI-25-931

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

BIT-mlflow-2025-52967 / CVE-2025-52967 / GHSA-wxj7-3fx5-pp9m / PYSEC-2025-52

More information

Details

gateway_proxy_handler in MLflow before 3.1.0 lacks gateway_path validation.

Severity

Unknown

References

• https://github.com/mlflow/mlflow/issues/15944
• https://github.com/mlflow/mlflow/pull/15970
• https://github.com/mlflow/mlflow/releases/tag/v3.1.0

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

---

MLFlow unsafe deserialization

BIT-mlflow-2024-37059 / CGA-2xhw-w75q-cpqg / CVE-2024-37059 / GHSA-wf7f-8fxf-xfxc

More information

Details

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with.

Severity

• CVSS Score: 8.8 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-37059
• https://github.com/mlflow/mlflow
• https://hiddenlayer.com/sai-security-advisory/mlflow-june2024

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

mlflow/mlflow (mlflow)

v3.5.0

Compare Source

MLflow 3.5.0 includes several major features and improvements!

Major Features

• ⚙️ Job Execution Backend: Introduced a new job execution backend infrastructure for running asynchronous tasks with individual execution pools, job search capabilities, and transient error handling. (#​17676, #​18012, #​18070, #​18071, #​18112, #​18049, @​WeichenXu123)
• 🎯 Flexible Prompt Optimization API: Introduced a new flexible API for prompt optimization with support for model switching and the GEPA algorithm, enabling more efficient prompt tuning with fewer rollouts. See the documentation to get started. (#​18183, #​18031, @​TomeHirata)
• 🎨 Enhanced UI Onboarding: Improved in-product onboarding experience with trace quickstart drawer and updated homepage guidance to help users discover MLflow's latest features. (#​18098, #​18187, @​B-Step62)
• 🔐 Security Middleware for Tracking Server: Added a security middleware layer to protect against DNS rebinding, CORS attacks, and other security threats. Read the documentation for configuration details. (#​17910, @​BenWilson2)

Features

• [Tracing / Tracking] Add unlink_traces_from_run batch operation (#​18316, @​harupy)
• [Tracing] Add batch trace link/unlink operations to DatabricksTracingRestStore (#​18295, @​harupy)
• [Tracking] Claude Code SDK autologging support (#​18022, @​smoorjani)
• [Tracing] Add support for reading trace configuration from environment variables (#​17792, @​joelrobin18)
• [Tracking] Mistral tracing improvements (#​16370, @​joelrobin18)
• [Tracking] Gemini token count tracking (#​16248, @​joelrobin18)
• [Tracking] Gemini streaming support (#​16249, @​joelrobin18)
• [Tracking] CrewAI token count tracking with documentation updates (#​16373, @​joelrobin18)
• [Evaluation] Allow passing empty scorer list for manual result comparison (#​18265, @​B-Step62)
• [Evaluation] Log assessments to DSPy evaluation traces (#​18136, @​B-Step62)
• [Evaluation] Add support for trace inputs to built-in scorers (#​17943, @​BenWilson2)
• [Evaluation] Add synonym handling for built-in scorers (#​17980, @​BenWilson2)
• [Evaluation] Add span timing tool for Agent Judges (#​17948, @​BenWilson2)
• [Evaluation] Allow disabling evaluation sample check (#​18032, @​B-Step62)
• [Evaluation] Reduce verbosity of SIMBA optimizer logs when aligning judges (#​17795, @​BenWilson2)
• [Evaluation] Add __repr__ method for Judges (#​17794, @​BenWilson2)
• [Prompts] Add prompt registry support to MLflow webhooks (#​17640, @​harupy)
• [Prompts] Prompt Registry Chat UI (#​17334, @​joelrobin18)
• [UI] Delete parent and child runs together (#​18052, @​joelrobin18)
• [UI] Added move to top, move to bottom for charts (#​17742, @​joelrobin18)
• [Tracking] Use sampling data for run comparison to improve performance (#​17645, @​lkuo)
• [Tracking] Add optional 'outputs' column for evaluation dataset records (#​17735, @​WeichenXu123)

Bug Fixes

• [Tracing] Fix parent run resolution mechanism for LangChain (#​17273, @​B-Step62)
• [Tracing] Add client-side retry for get_trace to improve reliability (#​18224, @​B-Step62)
• [Tracing] Fix OpenTelemetry dual export (#​18163, @​B-Step62)
• [Tracing] Suppress false warnings from span logging (#​18092, #​18276, @​B-Step62)
• [Tracing] Fix OpenTelemetry resource attributes not propagating correctly (#​18019, @​xiaosha007)
• [Tracing] Fix DSPy prompt display (#​17988, @​B-Step62)
• [Tracing] Fix usage aggregation to avoid ancestor duplication (#​17921, @​TomeHirata)
• [Tracing] Fix double counting in Strands tracing (#​17855, @​joelrobin18)
• [Tracing] Fix to_predict_fn to handle traces without tags field (#​17784, @​harupy)
• [Tracing] URL-encode trace tag keys in delete_trace_tag to prevent 404 errors (#​18232, @​copilot-swe-agent)
• [Tracking] Fix Claude Code autologging inputs not displaying (#​17858, @​smoorjani)
• [Tracking] Fix runs with 0-valued metrics not appearing in experiment list contour plots (#​17916, @​WeichenXu123)
• [Tracking] Fix DSPy run display (#​18137, @​B-Step62)
• [Tracking] Allow list of types in tools JSON Schema for OpenAI autolog (#​17908, @​fedem96)
• [Tracking] Set tracking URI environment variable for job runner (#​18073, @​WeichenXu123)
• [Evaluation] Add atomicity to job_start API (#​18226, @​BenWilson2)
• [Evaluation] Fix trace ingest for outputs in merge_records() API (#​18047, @​BenWilson2)
• [Evaluation] Fix judge regression (#​18039, @​B-Step62)
• [Evaluation] Fix judges to use non-empty user messages for Anthropic model compatibility (#​17935, @​dbczumar)
• [Evaluation] Fix endpoints error in judge (#​18048, @​joelrobin18)
• [Model Registry] Fix creating model versions from non-Databricks tracking to Databricks Unity Catalog registry (#​18244, @​austinwarner-8451)
• [Model Registry] Fix registry URI instantiation for artifact download (#​17982, @​arpitjasa-db)
• [Model Registry] Include original error details in Unity Catalog model copy failure messages (#​17997, @​harupy)
• [Model Registry] Fix webhook delivery to exit early for FileStore instances (#​18015, @​copilot-swe-agent)
• [Prompts] Fix error suppression during prompt alias resolution when allow_missing is set (#​17541, @​mr-brobot)
• [UI] General UI improvements (#​18281, @​joelrobin18)
• [Models] Fix dataset issue (#​18081, @​joelrobin18)
• [Models] Forward dataset name and digest to PolarsDataset's to_evaluation_dataset method (#​17886, @​sadelcarpio)
• [Build] Fix mlflow server exiting immediately when optional huey package is missing (#​18016, @​harupy)
• [Scoring] Fix chat completion arguments (#​18248, @​aravind-segu)

Documentation Updates

• [Docs] Add self-hosted documentation support (#​17986, @​B-Step62)
• [Docs] Add GitHub feature requests section to GenAI documentation (#​18342, @​TomeHirata)
• [Docs] Update Claude Code SDK tracing documentation (#​18026, @​smoorjani)
• [Docs] Add documentation for Analyze Experiment MCP/CLI command (#​17978, @​nsthorat)
• [Docs] Add deprecation notice for custom prompt judge (#​18287, @​smoorjani)
• [Docs] Overhaul scorer documentation (#​17930, @​B-Step62)
• [Docs] Add default optimizer documentation (#​17814, @​BenWilson2)
• [Docs] Update TypeScript SDK contribution documentation (#​17995, @​joelrobin18)
• [Docs] Fix Postgres 18+ mount path in documentation (#​18192, @​soyun11)
• [Docs] Fix typo: correct variable name from max_few_show_examples to max_few_shot_examples (#​18246, @​srinathmkce)
• [Docs] Replace single quotes with double quotes for Windows compatibility (#​18266, @​PavithraNelluri)
• [Docs] Fix typo in model registry documentation (#​18038, @​EddieMG)

Small bug fixes and documentation updates:

#​18349, #​18338, #​18241, #​18319, #​18309, #​18292, #​18280, #​18239, #​18236, #​17786, #​18003, #​17970, #​17898, #​17765, #​17667, @​serena-ruan; #​18346, #​17882, @​dbrx-euirim; #​18306, #​18208, #​18165, #​18110, #​18109, #​18108, #​18107, #​18105, #​18104, #​18100, #​18099, #​18155, #​18079, #​18082, #​18078, #​18077, #​18083, #​18030, #​18001, #​17999, #​17712, #​17785, #​17756, #​17729, #​17731, #​17733, @​daniellok-db; #​18339, #​18291, #​18222, #​18210, #​18124, #​18101, #​18054, #​18053, #​18007, #​17922, #​17823, #​17822, #​17805, #​17789, #​17750, #​17752, #​17760, #​17758, #​17688, #​17689, #​17693, #​17675, #​17673, #​17656, #​17674, @​harupy; #​18331, #​18308, #​18303, #​18146, @​smoorjani; #​18315, #​18279, #​18310, #​18187, #​18225, #​18277, #​18193, #​18223, #​18209, #​18200, #​18178, #​17574, #​18021, #​18006, #​17944, @​B-Step62; #​18290, #​17946, #​17627, @​bbqiu; #​18274, @​Ninja3047; #​18204, #​17868, #​17866, #​17833, #​17826, #​17835, @​TomeHirata; #​18273, #​18043, #​17928, #​17931, #​17936, #​17937, @​dbczumar; #​18185, #​18180, #​18174, #​18170, #​18167, #​18164, #​18168, #​18166, #​18162, #​18160, #​18159, #​18157, #​18156, #​18154, #​18148, #​18145, #​18135, #​18143, #​18142, #​18139, #​18132, #​18130, #​18119, #​18117, #​18115, #​18102, #​18075, #​18046, #​18062, #​18042, #​18051, #​18036, #​18027, #​18014, #​18011, #​18009, #​18004, #​17903, #​18000, #​18002, #​17973, #​17993, #​17989, #​17984, #​17968, #​17966, #​17967, #​17962, #​17977, #​17976, #​17972, #​17965, #​17964, #​17963, #​17969, #​17971, #​17939, #​17926, #​17924, #​17915, #​17911, #​17912, #​17904, #​17902, #​17900, #​17897, #​17892, #​17889, #​17888, #​17885, #​17884, #​17878, #​17874, #​17873, #​17871, #​17870, #​17865, #​17860, #​17861, #​17859, #​17857, #​17856, #​17854, #​17853, #​17851, #​17849, #​17850, #​17847, #​17845, #​17846, #​17844, #​17843, #​17842, #​17838, #​17836, #​17834, #​17831, #​17824, #​17828, #​17819, #​17825, #​17817, #​17821, #​17809, #​17807, #​17808, #​17803, #​17800, #​17799, #​17797, #​17793, #​17790, #​17772, #​17771, #​17769, #​17770, #​17753, #​17762, #​17747, #​17749, #​17745, #​17740, #​17734, #​17732, #​17726, #​17723, #​17722, #​17721, #​17719, #​17720, #​17718, #​17716, #​17713, #​17715, #​17710, #​17709, #​17708, #​17707, #​17705, #​17697, #​17701, #​17698, #​17696, #​17695, @​copilot-swe-agent; #​18151, #​18153, #​17983, #​18040, #​17981, #​17841, #​17818, #​17776, #​17781, @​BenWilson2; #​18068, @​alkispoly-db; #​18133, @​kevin-lyn; #​17105, #​17717, @​joelrobin18; #​17879, @​lkuo; #​17996, #​17945, #​17913, @​WeichenXu123

v3.4.0

Compare Source

MLflow 3.4.0rc0 includes several major features and improvements

Major New Features

• 📊 OpenTelemetry Metrics Export: MLflow now exports span-level statistics as OpenTelemetry metrics, providing enhanced observability and monitoring capabilities for traced applications. (#​17325, @​dbczumar)
• 🤖 MCP Server Integration: Introducing the Model Context Protocol (MCP) server for MLflow, enabling AI assistants and LLMs to interact with MLflow programmatically. (#​17122, @​harupy)
• 🧑‍⚖️ Custom Judges API: New make_judge API enables creation of custom evaluation judges for assessing LLM outputs with domain-specific criteria. (#​17647, @​BenWilson2, @​dbczumar, @​alkispoly-db, @​smoorjani)
• 📈 Correlations Backend: Implemented backend infrastructure for storing and computing correlations between experiment metrics using NPMI (Normalized Pointwise Mutual Information). (#​17309, #​17368, @​BenWilson2)
• 🗂️ Evaluation Datasets: MLflow now supports storing and versioning evaluation datasets directly within experiments for reproducible model assessment. (#​17447, @​BenWilson2)
• 🔗 Databricks Backend for MLflow Server: MLflow server can now use Databricks as a backend, enabling seamless integration with Databricks workspaces. (#​17411, @​nsthorat)
• 🤖 Claude Autologging: Automatic tracing support for Claude AI interactions, capturing conversations and model responses. (#​17305, @​smoorjani)
• 🌊 Strands Agent Tracing: Added comprehensive tracing support for Strands agents, including automatic instrumentation for agent workflows and interactions. (#​17151, @​joelrobin18)
• 🧪 Experiment Types in UI: MLflow now introduces experiment types, helping reduce clutter between classic ML/DL and GenAI features. MLflow auto-detects the type, but you can easily adjust it via a selector next to the experiment name. (#​17605, @​daniellok-db)

Features:

• [Evaluation] Add ability to pass tags via dataframe in mlflow.genai.evaluate (#​17549, @​smoorjani)
• [Evaluation] Add custom judge model support for Safety and RetrievalRelevance builtin scorers (#​17526, @​dbrx-euirim)
• [Tracing] Add AI commands as MCP prompts for LLM interaction (#​17608, @​nsthorat)
• [Tracing] Add MLFLOW_ENABLE_OTLP_EXPORTER environment variable (#​17505, @​dbczumar)
• [Tracing] Support OTel and MLflow dual export (#​17187, @​dbczumar)
• [Tracing] Make set_destination use ContextVar for thread safety (#​17219, @​B-Step62)
• [CLI] Add MLflow commands CLI for exposing prompt commands to LLMs (#​17530, @​nsthorat)
• [CLI] Add 'mlflow runs link-traces' command (#​17444, @​nsthorat)
• [CLI] Add 'mlflow runs create' command for programmatic run creation (#​17417, @​nsthorat)
• [CLI] Add MLflow traces CLI command with comprehensive search and management capabilities (#​17302, @​nsthorat)
• [CLI] Add --env-file flag to all MLflow CLI commands (#​17509, @​nsthorat)
• [Tracking] Backend for storing scorers in MLflow experiments (#​17090, @​WeichenXu123)
• [Model Registry] Allow cross-workspace copying of model versions between WMR and UC (#​17458, @​arpitjasa-db)
• [Models] Add automatic Git-based model versioning for GenAI applications (#​17076, @​harupy)
• [Models] Improve WheeledModel._download_wheels safety (#​17004, @​serena-ruan)
• [Projects] Support resume run for Optuna hyperparameter optimization (#​17191, @​lu-wang-dl)
• [Scoring] Add MLFLOW_DEPLOYMENT_CLIENT_HTTP_REQUEST_TIMEOUT environment variable (#​17252, @​dbczumar)
• [UI] Add ability to hide/unhide all finished runs in Chart view (#​17143, @​joelrobin18)
• [Telemetry] Add MLflow OSS telemetry for invoke_custom_judge_model (#​17585, @​dbrx-euirim)

Bug fixes:

• [Evaluation] Implement DSPy LM interface for default Databricks model serving (#​17672, @​smoorjani)
• [Evaluation] Fix aggregations incorrectly applied to legacy scorer interface (#​17596, @​BenWilson2)
• [Evaluation] Add Unity Catalog table source support for mlflow.evaluate (#​17546, @​BenWilson2)
• [Evaluation] Fix custom prompt judge encoding issues with custom judge models (#​17584, @​dbrx-euirim)
• [Tracking] Fix OpenAI autolog to properly reconstruct Response objects from streaming events (#​17535, @​WeichenXu123)
• [Tracking] Add basic authentication support in TypeScript SDK (#​17436, @​kevin-lyn)
• [Tracking] Update scorer endpoints to v3.0 API specification (#​17409, @​WeichenXu123)
• [Tracking] Fix scorer status handling in MLflow tracking backend (#​17379, @​WeichenXu123)
• [Tracking] Fix missing source-run information in UI (#​16682, @​WeichenXu123)
• [Scoring] Fix spark_udf to always use stdin_serve for model serving (#​17580, @​WeichenXu123)
• [Scoring] Fix a bug with Spark UDF usage of uv as an environment manager (#​17489, @​WeichenXu123)
• [Model Registry] Extract source workspace ID from run_link during model version migration (#​17600, @​arpitjasa-db)
• [Models] Improve security by reducing write permissions in temporary directory creation (#​17544, @​BenWilson2)
• [Server-infra] Fix --env-file flag compatibility with --dev mode (#​17615, @​nsthorat)
• [Server-infra] Fix basic authentication with Uvicorn server (#​17523, @​kevin-lyn)
• [UI] Fix experiment comparison functionality in UI (#​17550, @​Flametaa)
• [UI] Fix compareExperimentsSearch route definitions (#​17459, @​WeichenXu123)

Documentation updates:

• [Docs] Add clarification for trace requirements in scorers documentation (#​17542, @​BenWilson2)
• [Docs] Add documentation for Claude code autotracing (#​17521, @​smoorjani)
• [Docs] Remove experimental status message for MPU/MPD features (#​17486, @​BenWilson2)
• [Docs] Remove problematic pages from documentation (#​17453, @​BenWilson2)
• [Docs] Add documentation for updating signatures on Databricks registered models (#​17450, @​arpitjasa-db)
• [Docs] Update Scorers API documentation (#​17298, @​WeichenXu123)
• [Docs] Add comprehensive documentation for scorers (#​17258, @​B-Step62)

Small bug fixes and documentation updates:

#​17655, #​17657, #​17597, #​17545, #​17547, @​BenWilson2; #​17671, @​smoorjani; #​17668, #​17665, #​17662, #​17661, #​17659, #​17658, #​17653, #​17643, #​17642, #​17636, #​17634, #​17631, [#​17628](https://redirect.github.co

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.