CVE-2023-5245: MLeap: zip slip in model loading enables RCE

CRITICAL PoC AVAILABLE

Published November 15, 2023

CISO Take

MLeap's FileUtil.extract() is vulnerable to zip slip, allowing arbitrary file writes when loading TensorFlow SavedModel artifacts — trivially exploitable with no authentication required. Any ML pipeline that loads external or untrusted models via MLeap is at critical risk of full host compromise. Immediately audit mleap usage, apply the PR #866 patch, and sandbox all model loading operations.

What is the risk?

Maximum exploitability: CVSS 9.8, network-accessible, no authentication, no user interaction required. Zip slip is a well-understood attack class requiring zero ML expertise — any attacker who can deliver a malicious model file achieves RCE. ML serving environments frequently run with elevated privileges and broad filesystem access, dramatically amplifying the blast radius beyond the model loading process itself.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
mleap	—	—	No patch

Do you use mleap? You're affected.

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

1.2%

chance of exploitation in 30 days

Higher than 64% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

1 step

1) Patch: Apply fix from mleap PR #866 immediately. 2) Inventory: Identify all services using mleap TensorflowModel with saved_model format — check pom.xml, requirements, and Dockerfiles. 3) Sandbox: Run model loading in isolated containers with read-only root filesystems and explicitly scoped writable mounts. 4) Integrity: Enforce cryptographic signature verification (e.g., Sigstore/cosign) on all model artifacts before loading. 5) Least privilege: Model serving processes should run as unprivileged users with no write access outside designated model directories. 6) Detection: Alert on unexpected file writes from model serving processes, particularly to /etc, cron paths, SSH directories, or application roots.

How is it classified?

Supply Chain Code Execution Framework Model AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system lifecycle

NIST AI RMF

MANAGE-2.2 - Risk treatment for AI components

OWASP LLM Top 10

LLM05:2023 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-5245?

Is CVE-2023-5245 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-5245, increasing the risk of exploitation.

How to fix CVE-2023-5245?

1) Patch: Apply fix from mleap PR #866 immediately. 2) Inventory: Identify all services using mleap TensorflowModel with saved_model format — check pom.xml, requirements, and Dockerfiles. 3) Sandbox: Run model loading in isolated containers with read-only root filesystems and explicitly scoped writable mounts. 4) Integrity: Enforce cryptographic signature verification (e.g., Sigstore/cosign) on all model artifacts before loading. 5) Least privilege: Model serving processes should run as unprivileged users with no write access outside designated model directories. 6) Detection: Alert on unexpected file writes from model serving processes, particularly to /etc, cron paths, SSH directories, or application roots.

What systems are affected by CVE-2023-5245?

This vulnerability affects the following AI/ML architecture patterns: model serving, MLOps/CI-CD pipelines, training pipelines, inference pipelines.

What is the CVSS score for CVE-2023-5245?

CVE-2023-5245 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.19%.

What is the AI security impact?

Affected AI Architectures

model servingMLOps/CI-CD pipelinestraining pipelinesinference pipelines

MITRE ATLAS Techniques

AML.T0010.003 Model

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 6.1.2, 8.4

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM05:2023

What are the technical details?

Original Advisory

FileUtil.extract() enumerates all zip file entries and extracts each file without validating whether file paths in the archive are outside the intended directory. When creating an instance of TensorflowModel using the saved_model format and an exported tensorflow model, the apply() function invokes the vulnerable implementation of FileUtil.extract(). Arbitrary file creation can directly lead to code execution

Exploitation Scenario

An adversary crafts a malicious TensorFlow SavedModel archive where zip entries contain path traversal sequences (e.g., ../../etc/cron.d/backdoor or ../../root/.ssh/authorized_keys). The archive is published to a public model hub (HuggingFace, MLflow registry) or injected into a CI/CD pipeline via a compromised upstream dependency. When a victim's ML serving infrastructure calls apply() to load the model via MLeap, FileUtil.extract() blindly extracts all entries — writing attacker-controlled files to arbitrary host locations. No authentication to the victim system is required; the exploit fires the moment the model is loaded, achieving persistent RCE via cron or immediate execution via overwritten application binaries.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.