AI Threat Alert AI Threat Alert

CVE-2024-1594: MLflow: path traversal via URI fragment reads arbitrary files

HIGH PoC AVAILABLE CISA: TRACK*
Published April 16, 2024
CISO Take

Any internet-exposed MLflow instance is fully compromised by an unauthenticated attacker who can read arbitrary server files including credentials, model weights, and training data. Patch immediately or take MLflow off the public internet behind a VPN/auth proxy. This requires zero privileges and zero user interaction — treat it as critical in your environment if MLflow is reachable from untrusted networks.

Risk Assessment

Effective risk is CRITICAL in any organization running MLflow with public or semi-public exposure. The CVSS 7.5 score undersells operational impact: no authentication, no user interaction, and network-accessible attack vector means mass exploitation is trivially scriptable. MLflow is commonly deployed without strong perimeter controls in data science environments, making this a high-probability, high-impact combination. EPSS data unavailable but exploitability is near-trivial given proof-of-concept available on huntr.

Affected Systems

Package Ecosystem Vulnerable Range Patched
mlflow pip No patch
25.8K OpenSSF 4.7 624 dependents Pushed today 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 42% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I None
A None

Recommended Action

6 steps

  1. PATCH

    Upgrade MLflow to the patched version referenced in the huntr advisory (check official MLflow GitHub releases for the fix targeting CVE-2024-1594).

  2. ISOLATE IMMEDIATELY

    If patching is not immediate, restrict MLflow to internal networks only — bind to localhost or place behind VPN/SSO proxy. No MLflow UI or tracking server should be publicly accessible without authentication.

  3. AUDIT EXPOSURE

    Run netstat -tlnp | grep mlflow or equivalent on all servers; identify any 0.0.0.0 bindings on ports 5000/5001.

  4. ROTATE CREDENTIALS

    Assume any server running an exposed MLflow instance has had its filesystem read. Rotate cloud credentials, API tokens, and database passwords on those hosts.

  5. DETECT

    Look for anomalous POST /api/2.0/mlflow/experiments/create requests with artifact_location values containing #, .., or file URI schemes in MLflow access logs.

  6. COMPENSATING CONTROL

    Apply WAF rules to reject artifact_location parameters containing fragment identifiers or directory traversal sequences.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Data Leakage Framework Training Data AML.T0007 AML.T0025 AML.T0035 AML.T0037 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.1 - Information security in AI systems A.9.4 - AI data security
NIST AI RMF
GV-1.7 - Processes for AI risk management are reviewed MS-2.5 - Practices and controls for AI risk management are in place
OWASP LLM Top 10
LLM06:2025 - Excessive Agency / Insecure Design

Frequently Asked Questions

What is CVE-2024-1594?

Any internet-exposed MLflow instance is fully compromised by an unauthenticated attacker who can read arbitrary server files including credentials, model weights, and training data. Patch immediately or take MLflow off the public internet behind a VPN/auth proxy. This requires zero privileges and zero user interaction — treat it as critical in your environment if MLflow is reachable from untrusted networks.

Is CVE-2024-1594 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-1594, increasing the risk of exploitation.

How to fix CVE-2024-1594?

1. PATCH: Upgrade MLflow to the patched version referenced in the huntr advisory (check official MLflow GitHub releases for the fix targeting CVE-2024-1594). 2. ISOLATE IMMEDIATELY: If patching is not immediate, restrict MLflow to internal networks only — bind to localhost or place behind VPN/SSO proxy. No MLflow UI or tracking server should be publicly accessible without authentication. 3. AUDIT EXPOSURE: Run `netstat -tlnp | grep mlflow` or equivalent on all servers; identify any 0.0.0.0 bindings on ports 5000/5001. 4. ROTATE CREDENTIALS: Assume any server running an exposed MLflow instance has had its filesystem read. Rotate cloud credentials, API tokens, and database passwords on those hosts. 5. DETECT: Look for anomalous `POST /api/2.0/mlflow/experiments/create` requests with `artifact_location` values containing `#`, `..`, or file URI schemes in MLflow access logs. 6. COMPENSATING CONTROL: Apply WAF rules to reject `artifact_location` parameters containing fragment identifiers or directory traversal sequences.

What systems are affected by CVE-2024-1594?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, training pipelines, model registry, experiment tracking infrastructure, CI/CD pipelines for ML.

What is the CVSS score for CVE-2024-1594?

CVE-2024-1594 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.21%.

Technical Details

NVD Description

A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the `artifact_location` parameter when creating an experiment. Attackers can exploit this vulnerability by using a fragment component `#` in the artifact location URI to read arbitrary files on the server in the context of the server's process. This issue is similar to CVE-2023-6909 but utilizes a different component of the URI to achieve the same effect.

Exploitation Scenario

An adversary scanning for exposed MLflow tracking servers (common on port 5000) identifies a data science team's unprotected instance. They send a single unauthenticated POST to `/api/2.0/mlflow/experiments/create` with `artifact_location` set to `file:///home/mlflow/.aws/credentials#`. MLflow processes the URI, uses the fragment to bypass previous path traversal mitigations, and the attacker retrieves AWS access keys. With these keys, the adversary pivots to S3 buckets containing proprietary training datasets and model weights, achieving full AI intellectual property theft without ever needing to compromise the training pipeline itself. The entire attack chain takes under 5 minutes and leaves minimal forensic traces beyond HTTP access logs.

Weaknesses (CWE)

CWE-22

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
April 16, 2024
Last Modified
February 3, 2025
First Seen
April 16, 2024

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed