AI Threat Alert

CVE-2024-1558: MLflow: path traversal enables arbitrary file read

HIGH PoC AVAILABLE CISA: TRACK*
Published April 16, 2024
CISO Take

Unauthenticated attackers can read any file accessible to the MLflow server process by crafting a malicious source parameter that bypasses path validation — zero credentials required, network-accessible, trivially exploitable. Patch MLflow immediately and restrict server access to trusted networks. MLflow servers routinely have access to cloud credentials and model artifacts, making this a high-value target.

What is the risk?

High risk for any internet-exposed or insufficiently segmented MLflow deployment. CVSS 7.5 with no privileges, no user interaction, and low complexity makes this a prime candidate for automated exploitation. MLops environments are particularly dangerous targets because the MLflow process often has broad filesystem access — including .env files, cloud credential configs, SSH keys, and model weights — dramatically amplifying blast radius beyond a typical path traversal.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
MLflow pip No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.9%
chance of exploitation in 30 days
Higher than 54% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I None
A None

What should I do?

6 steps

  1. Patch: upgrade MLflow to the latest available release; verify fix via GitHub advisory for CVE-2024-1558.

  2. Immediate workaround: block all public and untrusted network access to MLflow servers — place behind VPN or internal-only firewall rules.

  3. Least privilege: run the MLflow process under a dedicated service account with read access scoped only to required model directories.

  4. Detection: audit server access logs for URL-encoded traversal patterns (%2e%2e, %252e, %2f) in source parameters and /model-versions/get-artifact requests.

  5. Secrets hygiene: rotate any credentials stored in paths accessible from the MLflow working directory.

  6. Validate: scan your deployment with a vulnerability scanner to confirm patched status.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Data Leakage Framework AML.T0025 AML.T0035 AML.T0037 AML.T0049 AML.T0055

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1 - AI system security controls
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-1558?

Unauthenticated attackers can read any file accessible to the MLflow server process by crafting a malicious source parameter that bypasses path validation — zero credentials required, network-accessible, trivially exploitable. Patch MLflow immediately and restrict server access to trusted networks. MLflow servers routinely have access to cloud credentials and model artifacts, making this a high-value target.

Is CVE-2024-1558 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-1558, increasing the risk of exploitation.

How to fix CVE-2024-1558?

1. Patch: upgrade MLflow to the latest available release; verify fix via GitHub advisory for CVE-2024-1558. 2. Immediate workaround: block all public and untrusted network access to MLflow servers — place behind VPN or internal-only firewall rules. 3. Least privilege: run the MLflow process under a dedicated service account with read access scoped only to required model directories. 4. Detection: audit server access logs for URL-encoded traversal patterns (%2e%2e, %252e, %2f) in source parameters and /model-versions/get-artifact requests. 5. Secrets hygiene: rotate any credentials stored in paths accessible from the MLflow working directory. 6. Validate: scan your deployment with a vulnerability scanner to confirm patched status.

What systems are affected by CVE-2024-1558?

This vulnerability affects the following AI/ML architecture patterns: model registry, MLOps platforms, experiment tracking, training pipelines, model serving.

What is the CVSS score for CVE-2024-1558?

CVE-2024-1558 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.86%.

What is the AI security impact?

Affected AI Architectures

model registryMLOps platformsexperiment trackingtraining pipelinesmodel serving

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.1
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

A path traversal vulnerability exists in the `_create_model_version()` function within `server/handlers.py` of the mlflow/mlflow repository, due to improper validation of the `source` parameter. Attackers can exploit this vulnerability by crafting a `source` parameter that bypasses the `_validate_non_local_source_contains_relative_paths(source)` function's checks, allowing for arbitrary file read access on the server. The issue arises from the handling of unquoted URL characters and the subsequent misuse of the original `source` value for model version creation, leading to the exposure of sensitive files when interacting with the `/model-versions/get-artifact` handler.

Exploitation Scenario

An attacker scans for exposed MLflow tracking servers (default ports 5000, 5001) and identifies a vulnerable version. They POST a model version creation request with a source parameter containing URL-encoded path traversal sequences that bypass the _validate_non_local_source_contains_relative_paths() check (e.g., encoded variants of ../../ that survive URL decoding only after validation). The original, unquoted source value is then passed to the artifact handler. Calling /model-versions/get-artifact returns the contents of target files. In a realistic MLOps pipeline, the attacker targets ~/.aws/credentials or a mounted Kubernetes secret containing a GCS service account key, then pivots to the cloud storage bucket containing all model weights and proprietary training data.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
April 16, 2024
Last Modified
February 3, 2025
First Seen
April 16, 2024

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed