AI Threat Alert

CVE-2023-3765: MLflow: path traversal allows arbitrary file read

CRITICAL PoC AVAILABLE NUCLEI TEMPLATE CISA: ATTEND
Published July 19, 2023
CISO Take

MLflow instances prior to 2.5.0 expose the entire host filesystem to unauthenticated remote attackers — CVSS 10.0, zero prerequisites. Patch to 2.5.0 immediately and treat any exposed pre-patch instance as fully compromised. Assume model weights, training data, .env files, and cloud credentials (AWS keys, GCP service accounts) have been exfiltrated.

What is the risk?

Severity is maximum: CVSS 10.0 with network attack vector, no privileges required, no user interaction, and scope change. MLflow is routinely deployed without authentication in data science environments (notebooks, shared servers, internal tooling), making it trivially discoverable and exploitable. The changed scope (S:C) means exploitation can cascade beyond the MLflow process to the underlying host. EPSS data is unavailable but the simplicity of exploitation and public PoC availability on huntr.dev elevate practical risk significantly.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
MLflow pip No patch
26.6K OpenSSF 5.6 655 dependents Pushed 5d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1
10.0 / 10
EPSS
70.7%
chance of exploitation in 30 days
Higher than 99% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Nuclei detection template available
EPSS exploit prediction: 71%
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Changed
C High
I High
A High

What should I do?

6 steps

  1. PATCH

    Upgrade MLflow to 2.5.0 or later immediately.

  2. NETWORK

    Place MLflow behind a VPN or internal network — it must not be internet-facing without authentication.

  3. AUDIT

    Review access logs for requests containing '../', '/', or absolute paths in file parameters; treat any hits as confirmed breach.

  4. ROTATE

    Immediately rotate all credentials (AWS, GCP, database, SSH keys) stored on or accessible from the MLflow host.

  5. DETECT

    Add WAF rules or IDS signatures for path traversal patterns in MLflow API endpoints (/api/2.0/mlflow/artifacts/get-content, logged_model paths).

  6. ISOLATE

    Run MLflow with a dedicated service account with minimal filesystem permissions; use read-only mounts for artifact directories.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Data Leakage Supply Chain Framework Model Training Data AML.T0007 AML.T0025 AML.T0035 AML.T0037 AML.T0049 AML.T0055

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.8.4 - AI data security A.9.2 - AI system security
NIST AI RMF
GOVERN 6.2 - Policies and procedures for AI risk management are established MANAGE 2.4 - Residual risks are documented and monitored
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-3765?

MLflow instances prior to 2.5.0 expose the entire host filesystem to unauthenticated remote attackers — CVSS 10.0, zero prerequisites. Patch to 2.5.0 immediately and treat any exposed pre-patch instance as fully compromised. Assume model weights, training data, .env files, and cloud credentials (AWS keys, GCP service accounts) have been exfiltrated.

Is CVE-2023-3765 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-3765, increasing the risk of exploitation.

How to fix CVE-2023-3765?

1. PATCH: Upgrade MLflow to 2.5.0 or later immediately. 2. NETWORK: Place MLflow behind a VPN or internal network — it must not be internet-facing without authentication. 3. AUDIT: Review access logs for requests containing '../', '/', or absolute paths in file parameters; treat any hits as confirmed breach. 4. ROTATE: Immediately rotate all credentials (AWS, GCP, database, SSH keys) stored on or accessible from the MLflow host. 5. DETECT: Add WAF rules or IDS signatures for path traversal patterns in MLflow API endpoints (/api/2.0/mlflow/artifacts/get-content, logged_model paths). 6. ISOLATE: Run MLflow with a dedicated service account with minimal filesystem permissions; use read-only mounts for artifact directories.

What systems are affected by CVE-2023-3765?

This vulnerability affects the following AI/ML architecture patterns: ML experiment tracking platforms, model registries, training pipelines, MLOps platforms, data science workbenches, model serving infrastructure.

What is the CVSS score for CVE-2023-3765?

CVE-2023-3765 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 70.74%.

What is the AI security impact?

Affected AI Architectures

ML experiment tracking platformsmodel registriestraining pipelinesMLOps platformsdata science workbenchesmodel serving infrastructure

MITRE ATLAS Techniques

AML.T0007 Discover AI Artifacts
AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.8.4, A.9.2
NIST AI RMF: GOVERN 6.2, MANAGE 2.4
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0.

Exploitation Scenario

An adversary scans for exposed MLflow servers (Shodan query for MLflow UI banners is publicly documented). They find an internal data science team's MLflow instance accessible on a corporate subnet or misconfigured cloud security group. Without any credentials, they craft HTTP requests using absolute path traversal to read /etc/passwd (host enumeration), then /home/datascientist/.aws/credentials (cloud keys), followed by the MLflow artifact store configuration to locate model weights and training data. Within minutes they have valid AWS credentials, can access the S3 bucket containing all production model artifacts, and can exfiltrate or tamper with models deployed to production inference endpoints — all without triggering authentication alerts.

Weaknesses (CWE)

CWE-36 Absolute Path Traversal

CWE-36 — Absolute Path Traversal: The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Implementation] Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

Timeline

Published
July 19, 2023
Last Modified
November 21, 2024
First Seen
July 19, 2023

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2023/CVE-2023-3765.yaml -u https://target.example.com

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2023-6018 9.8

MLflow: unauth file overwrite enables model poisoning

Same package: mlflow
Back to Threat Feed