Pickle Load on Recipe Run Leading to Code Execution

Products Impacted

This vulnerability was introduced in version 1.27.0 of MLflow.

CVSS Score: 8.8

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE Categorization

CWE-502: Deserialization of Untrusted Data.

Details

The vulnerability exists within the recipes/cards/__init__.py file within the class BaseCard, in the static method load.

@staticmethod
def load(path):
    	if os.path.isdir(path):
        	path = os.path.join(path, CARD_PICKLE_NAME)
    	with open(path, "rb") as f:
        	return pickle.load(f)

An attacker can exploit this by creating an MLProject Recipe containing a pickle file that will execute arbitrary code when deserialized, along with code that calls BaseCard.load(pickle.pkl), pointing to the file pickle.pkl as shown below. The attacker could share this project with a victim, and when they attempt to run it, the pickle file will be deserialized and the arbitrary code executed on their machine.

An example MLproject file:

name: RecipeTestingProject

conda_env: conda.yaml

entry_points:
	main:
    		command: "python recipe_card_pickle.py"

The snippet from recipe_card_pickle.py file that is responsible for calling the vulnerable function when the victim runs mlflow run. from within the recipe directory:

r = Recipe(profile="local")
r.run("ingest")
BaseCard.load("recipe_card.pkl")