AI Threat Alert

CVE-2023-1177: MLflow: path traversal allows arbitrary file read/write

CRITICAL ACTIVELY EXPLOITED PoC AVAILABLE NUCLEI TEMPLATE CISA: TRACK*
Published March 24, 2023
CISO Take

Unauthenticated path traversal in MLflow (CVSS 9.8) lets any network-reachable attacker read or write arbitrary files on your ML platform server. If MLflow is reachable from untrusted networks — including internal segments without strong access controls — treat this as active compromise risk: attackers can steal models, training data, and credentials stored on the filesystem. Patch to 2.2.1 immediately and audit all MLflow network exposure.

What is the risk?

Extremely high. CVSS 9.8 with no authentication, no user interaction, and full CIA impact. MLflow servers are routinely deployed without authentication enabled on internal networks or even internet-facing, making this trivially exploitable by automated scanners. MLflow instances hold high-value AI assets — trained models, experiment artifacts, hyperparameters, cloud credentials — making them an attractive target. The low attack complexity means weaponized exploits are accessible to low-skill actors.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
MLflow pip No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
69.5%
chance of exploitation in 30 days
Higher than 99% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Actively Exploited
Sophistication
Trivial
Exploitation Confidence
high
CISA KEV (active exploitation confirmed)
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Nuclei detection template available
EPSS exploit prediction: 69%
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. PATCH

    Upgrade MLflow to 2.2.1 or later immediately — this is the only complete fix.

  2. ISOLATE

    Ensure MLflow is not exposed to the public internet; restrict access via firewall rules and network segmentation.

  3. AUTHENTICATE

    Enable authentication if supported by your version; otherwise place behind an authenticated reverse proxy (nginx + OAuth2 proxy, Cloudflare Access).

  4. AUDIT LOGS

    Search server logs for path traversal patterns — sequences containing ../, ..\ or URL-encoded equivalents (%2e%2e%2f) in artifact or file endpoint requests.

  5. ROTATE CREDENTIALS

    Assume all secrets stored on the MLflow server filesystem (API keys, .env files, ~/.aws/credentials, database passwords) are compromised; rotate immediately.

  6. INVENTORY

    Identify all MLflow instances across environments (dev, staging, prod) and confirm patch status for each.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Code Execution Supply Chain Framework Model Training Data AML.T0010.001 AML.T0018 AML.T0025 AML.T0035 AML.T0037 AML.T0049 AML.T0055

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Information security in AI system development
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems and respond to AI risks
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-1177?

Unauthenticated path traversal in MLflow (CVSS 9.8) lets any network-reachable attacker read or write arbitrary files on your ML platform server. If MLflow is reachable from untrusted networks — including internal segments without strong access controls — treat this as active compromise risk: attackers can steal models, training data, and credentials stored on the filesystem. Patch to 2.2.1 immediately and audit all MLflow network exposure.

Is CVE-2023-1177 actively exploited?

Yes, CVE-2023-1177 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog.

How to fix CVE-2023-1177?

1. PATCH: Upgrade MLflow to 2.2.1 or later immediately — this is the only complete fix. 2. ISOLATE: Ensure MLflow is not exposed to the public internet; restrict access via firewall rules and network segmentation. 3. AUTHENTICATE: Enable authentication if supported by your version; otherwise place behind an authenticated reverse proxy (nginx + OAuth2 proxy, Cloudflare Access). 4. AUDIT LOGS: Search server logs for path traversal patterns — sequences containing ../, ..\ or URL-encoded equivalents (%2e%2e%2f) in artifact or file endpoint requests. 5. ROTATE CREDENTIALS: Assume all secrets stored on the MLflow server filesystem (API keys, .env files, ~/.aws/credentials, database passwords) are compromised; rotate immediately. 6. INVENTORY: Identify all MLflow instances across environments (dev, staging, prod) and confirm patch status for each.

What systems are affected by CVE-2023-1177?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model registry, training pipelines, experiment tracking systems, model serving infrastructure.

What is the CVSS score for CVE-2023-1177?

CVE-2023-1177 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 69.47%.

What is the AI security impact?

Affected AI Architectures

MLOps platformsmodel registrytraining pipelinesexperiment tracking systemsmodel serving infrastructure

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0018 Manipulate AI Model
AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.

Exploitation Scenario

An adversary scans corporate cloud environments and identifies an unpatched MLflow tracking server accessible on an internal VPC segment. Without credentials, they send a crafted HTTP GET to the artifact API with a path traversal sequence to enumerate filesystem structure. Within minutes they retrieve ~/.aws/credentials, obtaining cloud access keys with broad S3 and SageMaker permissions. They then read stored model artifact files — obtaining proprietary model weights trained on sensitive data. As a final stage, they overwrite a registered production model binary with a backdoored version that, when loaded by the serving infrastructure, silently exfiltrates a copy of every inference request payload to an attacker-controlled endpoint. The attack produces no authentication failures and blends into normal artifact access patterns.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-29 Path Traversal: '\..\filename'

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
March 24, 2023
Last Modified
November 21, 2024
First Seen
March 24, 2023

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2023/CVE-2023-1177.yaml -u https://target.example.com

Related Vulnerabilities

CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2023-6018 9.8

MLflow: unauth file overwrite enables model poisoning

Same package: mlflow
Back to Threat Feed