AI Threat Alert

CVE-2023-2780: MLflow: path traversal allows arbitrary file read/write

CRITICAL PoC AVAILABLE NUCLEI TEMPLATE CISA: ATTEND
Published May 17, 2023
CISO Take

Any internet-exposed MLflow instance prior to 2.3.1 is fully compromised—unauthenticated attackers can read and write arbitrary files on the server. Patch to 2.3.1+ immediately and audit MLflow exposure; this is a trivial exploit with a public PoC. Treat any exposed MLflow server as potentially breached: rotate credentials stored in artifacts and review model registry integrity.

What is the risk?

Exceptionally high. CVSS 9.8 reflects the true risk: network-accessible, zero authentication, zero user interaction, and full confidentiality/integrity/availability impact. MLflow instances are frequently internet-exposed in data science teams with permissive network policies. The attack is trivially reproducible using standard path traversal tooling. No mitigating controls exist short of patching or blocking access entirely.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
MLflow pip No patch
26.6K OpenSSF 5.6 655 dependents Pushed 5d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
6.3%
chance of exploitation in 30 days
Higher than 93% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Nuclei detection template available
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. PATCH

    Upgrade to MLflow 2.3.1 or later immediately—this is the only fix.

  2. ISOLATE

    If patching is not immediately possible, block all public internet access to MLflow (default port 5000). Place behind VPN or internal network only.

  3. AUDIT EXPOSURE

    Run shodan search 'http.title:MLflow' or equivalent to identify exposed instances. Check cloud security groups and load balancer rules.

  4. ROTATE CREDENTIALS

    Assume any credentials accessible from the MLflow server filesystem have been compromised. Rotate cloud provider keys, database passwords, and Hugging Face/OpenAI tokens.

  5. VERIFY INTEGRITY

    Hash-check all models in the registry against known-good checksums. Any model that could have been overwritten should be re-trained or restored from clean backup.

  6. DETECT

    Look for path traversal patterns (../, ..\) in MLflow HTTP access logs. Alert on any 200 responses to requests containing traversal sequences.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Code Execution Supply Chain Framework Training Data Model AML.T0010.001 AML.T0025 AML.T0035 AML.T0037 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness, and cybersecurity
ISO 42001
A.6.2.6 - AI system security A.8.4 - AI data security
NIST AI RMF
GOVERN-6.2 - Organizational risk policies for AI MANAGE-2.2 - Mechanisms to sustain AI risk management
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-2780?

Any internet-exposed MLflow instance prior to 2.3.1 is fully compromised—unauthenticated attackers can read and write arbitrary files on the server. Patch to 2.3.1+ immediately and audit MLflow exposure; this is a trivial exploit with a public PoC. Treat any exposed MLflow server as potentially breached: rotate credentials stored in artifacts and review model registry integrity.

Is CVE-2023-2780 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-2780, increasing the risk of exploitation.

How to fix CVE-2023-2780?

1. PATCH: Upgrade to MLflow 2.3.1 or later immediately—this is the only fix. 2. ISOLATE: If patching is not immediately possible, block all public internet access to MLflow (default port 5000). Place behind VPN or internal network only. 3. AUDIT EXPOSURE: Run `shodan search 'http.title:MLflow'` or equivalent to identify exposed instances. Check cloud security groups and load balancer rules. 4. ROTATE CREDENTIALS: Assume any credentials accessible from the MLflow server filesystem have been compromised. Rotate cloud provider keys, database passwords, and Hugging Face/OpenAI tokens. 5. VERIFY INTEGRITY: Hash-check all models in the registry against known-good checksums. Any model that could have been overwritten should be re-trained or restored from clean backup. 6. DETECT: Look for path traversal patterns (`../`, `..\`) in MLflow HTTP access logs. Alert on any 200 responses to requests containing traversal sequences.

What systems are affected by CVE-2023-2780?

This vulnerability affects the following AI/ML architecture patterns: MLOps pipelines, model registries, training pipelines, model serving, experiment tracking infrastructure.

What is the CVSS score for CVE-2023-2780?

CVE-2023-2780 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 6.31%.

What is the AI security impact?

Affected AI Architectures

MLOps pipelinesmodel registriestraining pipelinesmodel servingexperiment tracking infrastructure

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art.15
ISO 42001: A.6.2.6, A.8.4
NIST AI RMF: GOVERN-6.2, MANAGE-2.2
OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.3.1.

Exploitation Scenario

An adversary scans for MLflow instances via Shodan or direct network enumeration. They send a crafted HTTP GET request to the MLflow artifact API with a path traversal payload (e.g., `GET /api/2.0/mlflow/artifacts/get?path=../../etc/passwd`). With no authentication required, the server returns the file contents. The adversary then traverses to cloud credential files (`~/.aws/credentials`, application config files), extracts API keys, and uses them to access the organization's S3 model storage. In the destructive variant, they overwrite a production model artifact with a backdoored version—the next automated deployment cycle promotes the poisoned model to serving, enabling persistent inference manipulation or RCE depending on the model loading framework.

Weaknesses (CWE)

CWE-29 Path Traversal: '\..\filename'

CWE-29 — Path Traversal: '\..\filename': The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Implementation] Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
May 17, 2023
Last Modified
November 21, 2024
First Seen
May 17, 2023

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2023/CVE-2023-2780.yaml -u https://target.example.com

Related Vulnerabilities

CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2023-6018 9.8

MLflow: unauth file overwrite enables model poisoning

Same package: mlflow
Back to Threat Feed