AI Threat Alert
CVE-2024-21799: Intel Extension for Transformers: path traversal privesc
HIGH PoC AVAILABLEIntel Extension for Transformers before v1.5 allows any authenticated local user to escalate privileges via path traversal—a trivial exploit on shared ML infrastructure like GPU clusters. Upgrade to v1.5+ immediately and audit who has shell access to systems running this library. The real risk is the blast radius: a compromised data scientist account becomes a root foothold on your ML training infrastructure.
What is the risk?
Medium-high risk for organizations operating shared ML compute environments. CVSS 7.1 with local attack vector, low complexity, and low privilege requirement means any user account on an affected system is a potential escalation vector. Not in CISA KEV and no confirmed public exploits, but the technique is textbook—no AI expertise required. Highest exposure in multi-tenant GPU clusters, MLOps platforms, and CI/CD pipelines where multiple users share the same compute nodes. Impact scores (I:H, A:H) reflect potential for full system compromise or destruction of ML artifacts.
How severe is it?
What is the attack surface?
What should I do?
1 step-
1) Patch: Upgrade Intel Extension for Transformers to v1.5+. Verify with: pip show intel-extension-for-transformers. 2) Inventory: Scan all ML servers, training nodes, and inference hosts—run: pip list --format=columns | grep intel-extension across your fleet. 3) Access control: Until patched, restrict local shell access on ML infrastructure to minimum required users; enforce SSH key-based auth only. 4) File integrity monitoring: Deploy FIM on critical directories (/etc, /root, model artifact paths) and alert on writes from Python/ML processes. 5) Container enforcement: For containerized ML workloads, enforce read-only mounts on system directories and drop DAC_OVERRIDE capabilities. 6) Secrets audit: Post-patch, rotate any credentials that may have been accessible on affected systems.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2024-21799?
Intel Extension for Transformers before v1.5 allows any authenticated local user to escalate privileges via path traversal—a trivial exploit on shared ML infrastructure like GPU clusters. Upgrade to v1.5+ immediately and audit who has shell access to systems running this library. The real risk is the blast radius: a compromised data scientist account becomes a root foothold on your ML training infrastructure.
Is CVE-2024-21799 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2024-21799, increasing the risk of exploitation.
How to fix CVE-2024-21799?
1) Patch: Upgrade Intel Extension for Transformers to v1.5+. Verify with: pip show intel-extension-for-transformers. 2) Inventory: Scan all ML servers, training nodes, and inference hosts—run: pip list --format=columns | grep intel-extension across your fleet. 3) Access control: Until patched, restrict local shell access on ML infrastructure to minimum required users; enforce SSH key-based auth only. 4) File integrity monitoring: Deploy FIM on critical directories (/etc, /root, model artifact paths) and alert on writes from Python/ML processes. 5) Container enforcement: For containerized ML workloads, enforce read-only mounts on system directories and drop DAC_OVERRIDE capabilities. 6) Secrets audit: Post-patch, rotate any credentials that may have been accessible on affected systems.
What systems are affected by CVE-2024-21799?
This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML development environments, shared GPU clusters, MLOps platforms.
What is the CVSS score for CVE-2024-21799?
CVE-2024-21799 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.75%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0025 Exfiltration via Cyber Means AML.T0035 AI Artifact Collection AML.T0037 Data from Local System Compliance Controls Affected
What are the technical details?
Original Advisory
Path traversal for some Intel(R) Extension for Transformers software before version 1.5 may allow an authenticated user to potentially enable escalation of privilege via local access.
Exploitation Scenario
An attacker with a low-privileged account on a shared GPU training cluster—say, a compromised data scientist credential—calls a vulnerable file operation in Intel Extension for Transformers with a crafted path such as '../../root/.ssh/authorized_keys'. The library writes attacker-controlled content to the root SSH authorized_keys file, granting the attacker persistent root SSH access. From there, the attacker has unrestricted access to all model weights, training datasets, API keys stored in .env files, and the ability to poison models or exfiltrate proprietary IP. The entire operation requires no GPU, no ML knowledge, and no exploit tooling beyond a basic path traversal string.
Weaknesses (CWE)
CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same attack type: Supply Chain CVE-2024-2912 10.0 BentoML: RCE via insecure deserialization (CVSS 10)
Same attack type: Supply Chain CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same attack type: Supply Chain CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Supply Chain CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same attack type: Code Execution