AI Threat Alert

CVE-2024-1483: MLflow: path traversal exposes arbitrary server files

HIGH PoC AVAILABLE NUCLEI TEMPLATE CISA: TRACK*
Published April 16, 2024
CISO Take

MLflow 2.9.2 allows unauthenticated attackers to read any file on the server via crafted artifact_location parameters — no credentials needed, network access is enough. If MLflow is reachable from untrusted networks (including internal segments with lateral movement risk), treat this as critical. Patch immediately or isolate the service behind a VPN/firewall; assume credential exposure if exploitation cannot be ruled out.

What is the risk?

Effective risk is CRITICAL in typical MLOps deployments despite the 7.5 CVSS score. The zero-auth requirement (PR:N, UI:N, AC:L) means any network-adjacent attacker can exfiltrate files without prior foothold. MLflow instances routinely store environment files, cloud provider credentials, database connection strings, and model configs in accessible paths. In organizations where MLflow is exposed on internal networks with flat segmentation, lateral movement significantly amplifies the blast radius.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
MLflow pip No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
2.7%
chance of exploitation in 30 days
Higher than 84% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Nuclei detection template available
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I None
A None

What should I do?

5 steps

  1. PATCH

    Upgrade MLflow to the latest release immediately; the fix was applied post-2.9.2.

  2. ISOLATE

    Restrict MLflow tracking server to internal VPN-only access; block port 5000 from untrusted segments via firewall or security group rules.

  3. AUDIT

    Review server access logs for anomalous POST requests to /api/2.0/mlflow/runs/create or experiment endpoints with artifact_location or source parameters containing '../', '%2e%2e', or '#' characters.

  4. ROTATE

    If exposure cannot be ruled out, rotate all credentials (cloud keys, DB passwords, API tokens) accessible from the MLflow server filesystem.

  5. DETECT

    Add WAF rule or IDS signature matching path traversal patterns in artifact_location/source parameters in POST bodies to MLflow endpoints.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Framework Training Data AML.T0007 AML.T0025 AML.T0035 AML.T0037 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Protection of AI system information A.9.1 - AI system vulnerability management
NIST AI RMF
GOVERN 6.1 - Policies for AI risk in the supply chain MANAGE 2.2 - Mechanisms for responding to AI risks
OWASP LLM Top 10
LLM08:2025 - Vector and Embedding Weaknesses

Frequently Asked Questions

What is CVE-2024-1483?

MLflow 2.9.2 allows unauthenticated attackers to read any file on the server via crafted artifact_location parameters — no credentials needed, network access is enough. If MLflow is reachable from untrusted networks (including internal segments with lateral movement risk), treat this as critical. Patch immediately or isolate the service behind a VPN/firewall; assume credential exposure if exploitation cannot be ruled out.

Is CVE-2024-1483 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-1483, increasing the risk of exploitation.

How to fix CVE-2024-1483?

1. PATCH: Upgrade MLflow to the latest release immediately; the fix was applied post-2.9.2. 2. ISOLATE: Restrict MLflow tracking server to internal VPN-only access; block port 5000 from untrusted segments via firewall or security group rules. 3. AUDIT: Review server access logs for anomalous POST requests to /api/2.0/mlflow/runs/create or experiment endpoints with artifact_location or source parameters containing '../', '%2e%2e', or '#' characters. 4. ROTATE: If exposure cannot be ruled out, rotate all credentials (cloud keys, DB passwords, API tokens) accessible from the MLflow server filesystem. 5. DETECT: Add WAF rule or IDS signature matching path traversal patterns in artifact_location/source parameters in POST bodies to MLflow endpoints.

What systems are affected by CVE-2024-1483?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, training pipelines, experiment tracking infrastructure, model registry, CI/CD for ML.

What is the CVSS score for CVE-2024-1483?

CVE-2024-1483 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 2.72%.

What is the AI security impact?

Affected AI Architectures

MLOps platformstraining pipelinesexperiment tracking infrastructuremodel registryCI/CD for ML

MITRE ATLAS Techniques

AML.T0007 Discover AI Artifacts
AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6, A.9.1
NIST AI RMF: GOVERN 6.1, MANAGE 2.2
OWASP LLM Top 10: LLM08:2025

What are the technical details?

Original Advisory

A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. By crafting a series of HTTP POST requests with specially crafted 'artifact_location' and 'source' parameters, using a local URI with '#' instead of '?', an attacker can traverse the server's directory structure. The issue occurs due to insufficient validation of user-supplied input in the server's handlers.

Exploitation Scenario

An adversary scanning an internal data science network finds an exposed MLflow tracking server. Using a single unauthenticated HTTP POST to the runs/create API with artifact_location set to a local URI like file:///etc/../etc/passwd#experiment or a crafted source parameter, the attacker reads /etc/passwd to enumerate users. Escalating, they target common MLflow artifact storage paths to retrieve .env files containing AWS_ACCESS_KEY_ID and database DSNs used by the training pipeline. With cloud credentials in hand, the attacker pivots to S3/GCS to exfiltrate proprietary model weights and training datasets — all without ever compromising a user account.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
April 16, 2024
Last Modified
February 3, 2025
First Seen
April 16, 2024

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2024/CVE-2024-1483.yaml -u https://target.example.com

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed