AI Threat Alert

CVE-2024-27134: MLflow: local privilege escalation via spark_udf ToCToU

GHSA-qpgc-w4mg-6v92 HIGH
Published November 25, 2024
CISO Take

MLflow's spark_udf() function creates directories with excessive permissions, enabling a local attacker to exploit a Time-of-Check Time-of-Use (ToCToU) race condition for full privilege escalation. Risk is contained to shared compute environments where untrusted users have local access — but that describes most Spark/ML training clusters. Patch to MLflow 2.16.0 immediately if spark_udf is in use.

What is the risk?

Rated High (CVSS 7.0) but real-world exploitability is constrained by local access requirement and high attack complexity. EPSS of 0.00022 reflects low observed exploitation activity. However, multi-tenant ML training environments (shared Spark clusters, data science workbenches) represent a realistic threat surface: a compromised or malicious data scientist account with local access could escalate to root or service account privileges, gaining access to model weights, training data, and pipeline credentials.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
MLflow pip No patch
26.6K OpenSSF 5.6 655 dependents Pushed 5d ago 31% patched ~51d to patch Full package profile →
MLflow pip < 2.16.0 2.16.0
26.6K OpenSSF 5.6 655 dependents Pushed 5d ago 31% patched ~51d to patch Full package profile →

How severe is it?

CVSS 3.1
7.0 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 2% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC High
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. Patch: Upgrade MLflow to 2.16.0 or later (patch in PR #10874, commit 0b1d995).

  2. Triage: Audit whether spark_udf() is called anywhere in your ML pipelines — if not, risk is negligible.

  3. Restrict: Enforce principle of least privilege on ML training servers; prevent untrusted users from sharing the same OS-level environment as MLflow processes.

  4. Detect: Monitor for unexpected privilege escalation events (sudo, setuid, capability changes) on hosts running MLflow with Spark integration.

  5. Harden: Run MLflow Spark jobs in isolated containers per user/pipeline to eliminate local multi-tenancy risk.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Framework Training Data AML.T0010.001 AML.T0025 AML.T0035 AML.T0037 AML.T0055

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
6.1.2 - AI risk assessment 8.4 - AI system operation
NIST AI RMF
GOVERN 6.1 - Policies and procedures for AI risk MANAGE 2.2 - Mechanisms to sustain and monitor AI risk management plans

Frequently Asked Questions

What is CVE-2024-27134?

MLflow's spark_udf() function creates directories with excessive permissions, enabling a local attacker to exploit a Time-of-Check Time-of-Use (ToCToU) race condition for full privilege escalation. Risk is contained to shared compute environments where untrusted users have local access — but that describes most Spark/ML training clusters. Patch to MLflow 2.16.0 immediately if spark_udf is in use.

Is CVE-2024-27134 actively exploited?

No confirmed active exploitation of CVE-2024-27134 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-27134?

1. Patch: Upgrade MLflow to 2.16.0 or later (patch in PR #10874, commit 0b1d995). 2. Triage: Audit whether spark_udf() is called anywhere in your ML pipelines — if not, risk is negligible. 3. Restrict: Enforce principle of least privilege on ML training servers; prevent untrusted users from sharing the same OS-level environment as MLflow processes. 4. Detect: Monitor for unexpected privilege escalation events (sudo, setuid, capability changes) on hosts running MLflow with Spark integration. 5. Harden: Run MLflow Spark jobs in isolated containers per user/pipeline to eliminate local multi-tenancy risk.

What systems are affected by CVE-2024-27134?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, MLOps platforms, distributed ML compute (Spark), shared data science workbenches.

What is the CVSS score for CVE-2024-27134?

CVE-2024-27134 has a CVSS v3.1 base score of 7.0 (HIGH). The EPSS exploitation probability is 0.12%.

What is the AI security impact?

Affected AI Architectures

training pipelinesMLOps platformsdistributed ML compute (Spark)shared data science workbenches

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0037 Data from Local System
AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: 6.1.2, 8.4
NIST AI RMF: GOVERN 6.1, MANAGE 2.2

What are the technical details?

Original Advisory

Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called.

Exploitation Scenario

An attacker with a low-privilege account on a shared ML training server (e.g., a data scientist account or compromised service account) waits for a legitimate MLflow process to call spark_udf(). The vulnerable code creates a temporary directory with world-writable or overly permissive settings. The attacker races to replace the directory with a symlink or inject a malicious file between the time-of-check and time-of-use, causing MLflow to write controlled content to an arbitrary privileged path. This enables escalation to the MLflow service account or root, granting access to all ML artifacts, pipeline secrets, and downstream infrastructure.

Weaknesses (CWE)

CWE-276 Incorrect Default Permissions Primary CWE-276 Incorrect Default Permissions CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-276 — Incorrect Default Permissions: During installation, installed file permissions are set to allow anyone to modify those files.

  • [Architecture and Design, Operation] The architecture needs to access and modification attributes for files to only those users who actually require those actions.
  • [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
November 25, 2024
Last Modified
February 3, 2025
First Seen
November 25, 2024

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed