AI Threat Alert AI Threat Alert

CVE-2024-1558: MLflow: path traversal enables arbitrary file read

HIGH PoC AVAILABLE CISA: TRACK*
Published April 16, 2024
CISO Take

Unauthenticated attackers can read any file accessible to the MLflow server process by crafting a malicious source parameter that bypasses path validation — zero credentials required, network-accessible, trivially exploitable. Patch MLflow immediately and restrict server access to trusted networks. MLflow servers routinely have access to cloud credentials and model artifacts, making this a high-value target.

Risk Assessment

High risk for any internet-exposed or insufficiently segmented MLflow deployment. CVSS 7.5 with no privileges, no user interaction, and low complexity makes this a prime candidate for automated exploitation. MLops environments are particularly dangerous targets because the MLflow process often has broad filesystem access — including .env files, cloud credential configs, SSH keys, and model weights — dramatically amplifying blast radius beyond a typical path traversal.

Affected Systems

Package Ecosystem Vulnerable Range Patched
mlflow pip No patch
25.8K OpenSSF 4.7 624 dependents Pushed today 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 25% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I None
A None

Recommended Action

6 steps

  1. Patch: upgrade MLflow to the latest available release; verify fix via GitHub advisory for CVE-2024-1558.

  2. Immediate workaround: block all public and untrusted network access to MLflow servers — place behind VPN or internal-only firewall rules.

  3. Least privilege: run the MLflow process under a dedicated service account with read access scoped only to required model directories.

  4. Detection: audit server access logs for URL-encoded traversal patterns (%2e%2e, %252e, %2f) in source parameters and /model-versions/get-artifact requests.

  5. Secrets hygiene: rotate any credentials stored in paths accessible from the MLflow working directory.

  6. Validate: scan your deployment with a vulnerability scanner to confirm patched status.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Data Leakage Framework AML.T0025 AML.T0035 AML.T0037 AML.T0049 AML.T0055

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1 - AI system security controls
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-1558?

Unauthenticated attackers can read any file accessible to the MLflow server process by crafting a malicious source parameter that bypasses path validation — zero credentials required, network-accessible, trivially exploitable. Patch MLflow immediately and restrict server access to trusted networks. MLflow servers routinely have access to cloud credentials and model artifacts, making this a high-value target.

Is CVE-2024-1558 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-1558, increasing the risk of exploitation.

How to fix CVE-2024-1558?

1. Patch: upgrade MLflow to the latest available release; verify fix via GitHub advisory for CVE-2024-1558. 2. Immediate workaround: block all public and untrusted network access to MLflow servers — place behind VPN or internal-only firewall rules. 3. Least privilege: run the MLflow process under a dedicated service account with read access scoped only to required model directories. 4. Detection: audit server access logs for URL-encoded traversal patterns (%2e%2e, %252e, %2f) in source parameters and /model-versions/get-artifact requests. 5. Secrets hygiene: rotate any credentials stored in paths accessible from the MLflow working directory. 6. Validate: scan your deployment with a vulnerability scanner to confirm patched status.

What systems are affected by CVE-2024-1558?

This vulnerability affects the following AI/ML architecture patterns: model registry, MLOps platforms, experiment tracking, training pipelines, model serving.

What is the CVSS score for CVE-2024-1558?

CVE-2024-1558 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.09%.

Technical Details

NVD Description

A path traversal vulnerability exists in the `_create_model_version()` function within `server/handlers.py` of the mlflow/mlflow repository, due to improper validation of the `source` parameter. Attackers can exploit this vulnerability by crafting a `source` parameter that bypasses the `_validate_non_local_source_contains_relative_paths(source)` function's checks, allowing for arbitrary file read access on the server. The issue arises from the handling of unquoted URL characters and the subsequent misuse of the original `source` value for model version creation, leading to the exposure of sensitive files when interacting with the `/model-versions/get-artifact` handler.

Exploitation Scenario

An attacker scans for exposed MLflow tracking servers (default ports 5000, 5001) and identifies a vulnerable version. They POST a model version creation request with a source parameter containing URL-encoded path traversal sequences that bypass the _validate_non_local_source_contains_relative_paths() check (e.g., encoded variants of ../../ that survive URL decoding only after validation). The original, unquoted source value is then passed to the artifact handler. Calling /model-versions/get-artifact returns the contents of target files. In a realistic MLOps pipeline, the attacker targets ~/.aws/credentials or a mounted Kubernetes secret containing a GCS service account key, then pivots to the cloud storage bucket containing all model weights and proprietary training data.

Weaknesses (CWE)

CWE-22

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
April 16, 2024
Last Modified
February 3, 2025
First Seen
April 16, 2024

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed