CVE-2023-3765 — CRITICAL (CVSS 10.0) AI Security Vulnerability

CISO Take

MLflow instances prior to 2.5.0 expose the entire host filesystem to unauthenticated remote attackers — CVSS 10.0, zero prerequisites. Patch to 2.5.0 immediately and treat any exposed pre-patch instance as fully compromised. Assume model weights, training data, .env files, and cloud credentials (AWS keys, GCP service accounts) have been exfiltrated.

Risk Assessment

Severity is maximum: CVSS 10.0 with network attack vector, no privileges required, no user interaction, and scope change. MLflow is routinely deployed without authentication in data science environments (notebooks, shared servers, internal tooling), making it trivially discoverable and exploitable. The changed scope (S:C) means exploitation can cascade beyond the MLflow process to the underlying host. EPSS data is unavailable but the simplicity of exploitation and public PoC availability on huntr.dev elevate practical risk significantly.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.8K OpenSSF 4.7 624 dependents Pushed yesterday 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

10.0 / 10

EPSS

91.5%

chance of exploitation in 30 days

Higher than 100% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

○ EPSS exploit prediction: 91%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Changed

C High

I High

A High

Recommended Action

6 steps

PATCH

Upgrade MLflow to 2.5.0 or later immediately.
NETWORK

Place MLflow behind a VPN or internal network — it must not be internet-facing without authentication.
AUDIT

Review access logs for requests containing '../', '/', or absolute paths in file parameters; treat any hits as confirmed breach.
ROTATE

Immediately rotate all credentials (AWS, GCP, database, SSH keys) stored on or accessible from the MLflow host.
DETECT

Add WAF rules or IDS signatures for path traversal patterns in MLflow API endpoints (/api/2.0/mlflow/artifacts/get-content, logged_model paths).
ISOLATE

Run MLflow with a dedicated service account with minimal filesystem permissions; use read-only mounts for artifact directories.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Data Leakage Supply Chain Framework Model Training Data AML.T0007 - Discover AI Artifacts AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.4 - AI data security A.9.2 - AI system security

NIST AI RMF

GOVERN 6.2 - Policies and procedures for AI risk management are established MANAGE 2.4 - Residual risks are documented and monitored

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-3765?

MLflow instances prior to 2.5.0 expose the entire host filesystem to unauthenticated remote attackers — CVSS 10.0, zero prerequisites. Patch to 2.5.0 immediately and treat any exposed pre-patch instance as fully compromised. Assume model weights, training data, .env files, and cloud credentials (AWS keys, GCP service accounts) have been exfiltrated.

Is CVE-2023-3765 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-3765, increasing the risk of exploitation.

How to fix CVE-2023-3765?

1. PATCH: Upgrade MLflow to 2.5.0 or later immediately. 2. NETWORK: Place MLflow behind a VPN or internal network — it must not be internet-facing without authentication. 3. AUDIT: Review access logs for requests containing '../', '/', or absolute paths in file parameters; treat any hits as confirmed breach. 4. ROTATE: Immediately rotate all credentials (AWS, GCP, database, SSH keys) stored on or accessible from the MLflow host. 5. DETECT: Add WAF rules or IDS signatures for path traversal patterns in MLflow API endpoints (/api/2.0/mlflow/artifacts/get-content, logged_model paths). 6. ISOLATE: Run MLflow with a dedicated service account with minimal filesystem permissions; use read-only mounts for artifact directories.

What systems are affected by CVE-2023-3765?

This vulnerability affects the following AI/ML architecture patterns: ML experiment tracking platforms, model registries, training pipelines, MLOps platforms, data science workbenches, model serving infrastructure.

What is the CVSS score for CVE-2023-3765?

CVE-2023-3765 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 91.45%.

Technical Details

NVD Description

Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0.

Exploitation Scenario

An adversary scans for exposed MLflow servers (Shodan query for MLflow UI banners is publicly documented). They find an internal data science team's MLflow instance accessible on a corporate subnet or misconfigured cloud security group. Without any credentials, they craft HTTP requests using absolute path traversal to read /etc/passwd (host enumeration), then /home/datascientist/.aws/credentials (cloud keys), followed by the MLflow artifact store configuration to locate model weights and training data. Within minutes they have valid AWS credentials, can access the S3 bucket containing all production model artifacts, and can exfiltrate or tamper with models deployed to production inference endpoints — all without triggering authentication alerts.