AI Threat Alert

CVE-2024-1593: MLflow: path traversal via ';' smuggling exposes files

HIGH PoC AVAILABLE CISA: TRACK*
Published April 16, 2024
CISO Take

MLflow's unauthenticated path traversal (no privileges, no user interaction, network-accessible) means any exposed MLflow instance is a direct file read target. Attackers can exfiltrate model artifacts, training data, and credential files stored on the MLflow server. Patch immediately or isolate all MLflow instances behind VPN/firewall — this is not a theoretical risk on public-facing deployments.

What is the risk?

HIGH operational risk for AI/ML teams. CVSS 7.5 understates exposure in practice: MLflow instances are frequently deployed on internal networks with broad team access or, worse, publicly exposed for collaboration. The attack requires zero authentication and zero user interaction, making automated scanning and exploitation trivial. The ';' parameter smuggling technique is a known bypass category that WAFs often miss. MLflow servers typically sit at the core of ML pipelines and store or reference sensitive artifacts — credentials in .env files, cloud provider tokens, model weights, and training datasets are all reachable via file traversal.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
MLflow pip No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.7%
chance of exploitation in 30 days
Higher than 48% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I None
A None

What should I do?

6 steps

  1. PATCH

    Upgrade MLflow to the version that resolves CVE-2024-1593 (check huntr advisory for specific patched version).

  2. NETWORK ISOLATION

    Immediately restrict MLflow UI/API to internal network or VPN-only access — no MLflow instance should be internet-facing without auth.

  3. WAF RULE

    Add detection for ';' characters in URL path parameters targeting MLflow endpoints.

  4. AUDIT LOGS

    Review MLflow access logs for requests containing semicolons (';') in URL params, especially targeting file paths or artifact endpoints.

  5. SECRETS HYGIENE

    Audit that no credentials, API keys, or cloud tokens are stored in directories accessible to the MLflow artifact store.

  6. LEAST PRIVILEGE

    Ensure MLflow server process runs with minimal filesystem permissions — restrict to artifact store directory only.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Framework Training Data AML.T0025 AML.T0035 AML.T0037 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Security of AI system components
NIST AI RMF
MANAGE 2.2 - Mechanisms to respond to AI risks
OWASP LLM Top 10
LLM08 - Excessive Agency / Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-1593?

MLflow's unauthenticated path traversal (no privileges, no user interaction, network-accessible) means any exposed MLflow instance is a direct file read target. Attackers can exfiltrate model artifacts, training data, and credential files stored on the MLflow server. Patch immediately or isolate all MLflow instances behind VPN/firewall — this is not a theoretical risk on public-facing deployments.

Is CVE-2024-1593 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-1593, increasing the risk of exploitation.

How to fix CVE-2024-1593?

1. PATCH: Upgrade MLflow to the version that resolves CVE-2024-1593 (check huntr advisory for specific patched version). 2. NETWORK ISOLATION: Immediately restrict MLflow UI/API to internal network or VPN-only access — no MLflow instance should be internet-facing without auth. 3. WAF RULE: Add detection for ';' characters in URL path parameters targeting MLflow endpoints. 4. AUDIT LOGS: Review MLflow access logs for requests containing semicolons (';') in URL params, especially targeting file paths or artifact endpoints. 5. SECRETS HYGIENE: Audit that no credentials, API keys, or cloud tokens are stored in directories accessible to the MLflow artifact store. 6. LEAST PRIVILEGE: Ensure MLflow server process runs with minimal filesystem permissions — restrict to artifact store directory only.

What systems are affected by CVE-2024-1593?

This vulnerability affects the following AI/ML architecture patterns: MLOps pipelines, model registry, training pipelines, experiment tracking infrastructure, model serving.

What is the CVSS score for CVE-2024-1593?

CVE-2024-1593 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.69%.

What is the AI security impact?

Affected AI Architectures

MLOps pipelinesmodel registrytraining pipelinesexperiment tracking infrastructuremodel serving

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling path traversal sequences using the ';' character in URLs, attackers can manipulate the 'params' portion of the URL to gain unauthorized access to files or directories. This vulnerability allows for arbitrary data smuggling into the 'params' part of the URL, enabling attacks similar to those described in previous reports but utilizing the ';' character for parameter smuggling. Successful exploitation could lead to unauthorized information disclosure or server compromise.

Exploitation Scenario

An adversary conducting reconnaissance against a target's ML infrastructure identifies an exposed MLflow tracking server (common in data science teams using default deployments). They craft a URL to the MLflow REST API embedding a path traversal sequence using ';' as a parameter delimiter to escape the intended path scope — e.g., targeting the artifact download or file serving endpoint. By iterating traversal payloads, the attacker reads /etc/passwd to confirm traversal works, then pivots to targeting ~/.aws/credentials, .env files, or MLflow's own database configuration. Cloud storage keys recovered can then be used to exfiltrate the full model artifact store, including proprietary model weights, training data, and experiment metadata.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
April 16, 2024
Last Modified
February 3, 2025
First Seen
April 16, 2024

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed