CVE-2023-1177 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

Unauthenticated path traversal in MLflow (CVSS 9.8) lets any network-reachable attacker read or write arbitrary files on your ML platform server. If MLflow is reachable from untrusted networks — including internal segments without strong access controls — treat this as active compromise risk: attackers can steal models, training data, and credentials stored on the filesystem. Patch to 2.2.1 immediately and audit all MLflow network exposure.

Risk Assessment

Extremely high. CVSS 9.8 with no authentication, no user interaction, and full CIA impact. MLflow servers are routinely deployed without authentication enabled on internal networks or even internet-facing, making this trivially exploitable by automated scanners. MLflow instances hold high-value AI assets — trained models, experiment artifacts, hyperparameters, cloud credentials — making them an attractive target. The low attack complexity means weaponized exploits are accessible to low-skill actors.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

93.3%

chance of exploitation in 30 days

Higher than 100% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Actively Exploited

Sophistication

Trivial

Exploitation Confidence

high

✓ CISA KEV (active exploitation confirmed)

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

○ EPSS exploit prediction: 93%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

PATCH

Upgrade MLflow to 2.2.1 or later immediately — this is the only complete fix.
ISOLATE

Ensure MLflow is not exposed to the public internet; restrict access via firewall rules and network segmentation.
AUTHENTICATE

Enable authentication if supported by your version; otherwise place behind an authenticated reverse proxy (nginx + OAuth2 proxy, Cloudflare Access).
AUDIT LOGS

Search server logs for path traversal patterns — sequences containing ../, ..\ or URL-encoded equivalents (%2e%2e%2f) in artifact or file endpoint requests.
ROTATE CREDENTIALS

Assume all secrets stored on the MLflow server filesystem (API keys, .env files, ~/.aws/credentials, database passwords) are compromised; rotate immediately.
INVENTORY

Identify all MLflow instances across environments (dev, staging, prod) and confirm patch status for each.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Code Execution Supply Chain Framework Model Training Data AML.T0010.001 - AI Software AML.T0018 - Manipulate AI Model AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - Information security in AI system development

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems and respond to AI risks

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-1177?

Unauthenticated path traversal in MLflow (CVSS 9.8) lets any network-reachable attacker read or write arbitrary files on your ML platform server. If MLflow is reachable from untrusted networks — including internal segments without strong access controls — treat this as active compromise risk: attackers can steal models, training data, and credentials stored on the filesystem. Patch to 2.2.1 immediately and audit all MLflow network exposure.

Is CVE-2023-1177 actively exploited?

Yes, CVE-2023-1177 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog.

How to fix CVE-2023-1177?

1. PATCH: Upgrade MLflow to 2.2.1 or later immediately — this is the only complete fix. 2. ISOLATE: Ensure MLflow is not exposed to the public internet; restrict access via firewall rules and network segmentation. 3. AUTHENTICATE: Enable authentication if supported by your version; otherwise place behind an authenticated reverse proxy (nginx + OAuth2 proxy, Cloudflare Access). 4. AUDIT LOGS: Search server logs for path traversal patterns — sequences containing ../, ..\ or URL-encoded equivalents (%2e%2e%2f) in artifact or file endpoint requests. 5. ROTATE CREDENTIALS: Assume all secrets stored on the MLflow server filesystem (API keys, .env files, ~/.aws/credentials, database passwords) are compromised; rotate immediately. 6. INVENTORY: Identify all MLflow instances across environments (dev, staging, prod) and confirm patch status for each.

What systems are affected by CVE-2023-1177?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model registry, training pipelines, experiment tracking systems, model serving infrastructure.

What is the CVSS score for CVE-2023-1177?

CVE-2023-1177 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 93.31%.

Technical Details

NVD Description

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.

Exploitation Scenario

An adversary scans corporate cloud environments and identifies an unpatched MLflow tracking server accessible on an internal VPC segment. Without credentials, they send a crafted HTTP GET to the artifact API with a path traversal sequence to enumerate filesystem structure. Within minutes they retrieve ~/.aws/credentials, obtaining cloud access keys with broad S3 and SageMaker permissions. They then read stored model artifact files — obtaining proprietary model weights trained on sensitive data. As a final stage, they overwrite a registered production model binary with a backdoored version that, when loaded by the serving infrastructure, silently exfiltrates a copy of every inference request payload to an attacker-controlled endpoint. The attack produces no authentication failures and blends into normal artifact access patterns.