AI Threat Alert AI Threat Alert

CVE-2023-2780: MLflow: path traversal allows arbitrary file read/write

CRITICAL PoC AVAILABLE NUCLEI TEMPLATE CISA: ATTEND
Published May 17, 2023
CISO Take

Any internet-exposed MLflow instance prior to 2.3.1 is fully compromised—unauthenticated attackers can read and write arbitrary files on the server. Patch to 2.3.1+ immediately and audit MLflow exposure; this is a trivial exploit with a public PoC. Treat any exposed MLflow server as potentially breached: rotate credentials stored in artifacts and review model registry integrity.

Risk Assessment

Exceptionally high. CVSS 9.8 reflects the true risk: network-accessible, zero authentication, zero user interaction, and full confidentiality/integrity/availability impact. MLflow instances are frequently internet-exposed in data science teams with permissive network policies. The attack is trivially reproducible using standard path traversal tooling. No mitigating controls exist short of patching or blocking access entirely.

Affected Systems

Package Ecosystem Vulnerable Range Patched
mlflow pip No patch
25.8K OpenSSF 4.7 624 dependents Pushed yesterday 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
86.8%
chance of exploitation in 30 days
Higher than 99% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Nuclei detection template available
EPSS exploit prediction: 87%
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

Recommended Action

6 steps

  1. PATCH

    Upgrade to MLflow 2.3.1 or later immediately—this is the only fix.

  2. ISOLATE

    If patching is not immediately possible, block all public internet access to MLflow (default port 5000). Place behind VPN or internal network only.

  3. AUDIT EXPOSURE

    Run shodan search 'http.title:MLflow' or equivalent to identify exposed instances. Check cloud security groups and load balancer rules.

  4. ROTATE CREDENTIALS

    Assume any credentials accessible from the MLflow server filesystem have been compromised. Rotate cloud provider keys, database passwords, and Hugging Face/OpenAI tokens.

  5. VERIFY INTEGRITY

    Hash-check all models in the registry against known-good checksums. Any model that could have been overwritten should be re-trained or restored from clean backup.

  6. DETECT

    Look for path traversal patterns (../, ..\) in MLflow HTTP access logs. Alert on any 200 responses to requests containing traversal sequences.

CISA SSVC Assessment

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Code Execution Supply Chain Framework Training Data Model AML.T0010.001 AML.T0025 AML.T0035 AML.T0037 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness, and cybersecurity
ISO 42001
A.6.2.6 - AI system security A.8.4 - AI data security
NIST AI RMF
GOVERN-6.2 - Organizational risk policies for AI MANAGE-2.2 - Mechanisms to sustain AI risk management
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-2780?

Any internet-exposed MLflow instance prior to 2.3.1 is fully compromised—unauthenticated attackers can read and write arbitrary files on the server. Patch to 2.3.1+ immediately and audit MLflow exposure; this is a trivial exploit with a public PoC. Treat any exposed MLflow server as potentially breached: rotate credentials stored in artifacts and review model registry integrity.

Is CVE-2023-2780 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-2780, increasing the risk of exploitation.

How to fix CVE-2023-2780?

1. PATCH: Upgrade to MLflow 2.3.1 or later immediately—this is the only fix. 2. ISOLATE: If patching is not immediately possible, block all public internet access to MLflow (default port 5000). Place behind VPN or internal network only. 3. AUDIT EXPOSURE: Run `shodan search 'http.title:MLflow'` or equivalent to identify exposed instances. Check cloud security groups and load balancer rules. 4. ROTATE CREDENTIALS: Assume any credentials accessible from the MLflow server filesystem have been compromised. Rotate cloud provider keys, database passwords, and Hugging Face/OpenAI tokens. 5. VERIFY INTEGRITY: Hash-check all models in the registry against known-good checksums. Any model that could have been overwritten should be re-trained or restored from clean backup. 6. DETECT: Look for path traversal patterns (`../`, `..\`) in MLflow HTTP access logs. Alert on any 200 responses to requests containing traversal sequences.

What systems are affected by CVE-2023-2780?

This vulnerability affects the following AI/ML architecture patterns: MLOps pipelines, model registries, training pipelines, model serving, experiment tracking infrastructure.

What is the CVSS score for CVE-2023-2780?

CVE-2023-2780 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 86.85%.

Technical Details

NVD Description

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.3.1.

Exploitation Scenario

An adversary scans for MLflow instances via Shodan or direct network enumeration. They send a crafted HTTP GET request to the MLflow artifact API with a path traversal payload (e.g., `GET /api/2.0/mlflow/artifacts/get?path=../../etc/passwd`). With no authentication required, the server returns the file contents. The adversary then traverses to cloud credential files (`~/.aws/credentials`, application config files), extracts API keys, and uses them to access the organization's S3 model storage. In the destructive variant, they overwrite a production model artifact with a backdoored version—the next automated deployment cycle promotes the poisoned model to serving, enabling persistent inference manipulation or RCE depending on the model loading framework.

Weaknesses (CWE)

CWE-29

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 17, 2023
Last Modified
November 21, 2024
First Seen
May 17, 2023

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2023/CVE-2023-2780.yaml -u https://target.example.com

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2023-6018 9.8

MLflow: unauth file overwrite enables model poisoning

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
Back to Threat Feed