CVE-2024-27134 — HIGH (CVSS 7.0) AI Security Vulnerability

Q: Is CVE-2024-27134 actively exploited?

No confirmed active exploitation of CVE-2024-27134 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2024-27134?

1. Patch: Upgrade MLflow to 2.16.0 or later (patch in PR #10874, commit 0b1d995). 2. Triage: Audit whether spark_udf() is called anywhere in your ML pipelines — if not, risk is negligible. 3. Restrict: Enforce principle of least privilege on ML training servers; prevent untrusted users from sharing the same OS-level environment as MLflow processes. 4. Detect: Monitor for unexpected privilege escalation events (sudo, setuid, capability changes) on hosts running MLflow with Spark integration. 5. Harden: Run MLflow Spark jobs in isolated containers per user/pipeline to eliminate local multi-tenancy risk.

Q: What systems are affected by CVE-2024-27134?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, MLOps platforms, distributed ML compute (Spark), shared data science workbenches.

Q: What is the CVSS score for CVE-2024-27134?

CVE-2024-27134 has a CVSS v3.1 base score of 7.0 (HIGH). The EPSS exploitation probability is 0.03%.

CISO Take

MLflow's spark_udf() function creates directories with excessive permissions, enabling a local attacker to exploit a Time-of-Check Time-of-Use (ToCToU) race condition for full privilege escalation. Risk is contained to shared compute environments where untrusted users have local access — but that describes most Spark/ML training clusters. Patch to MLflow 2.16.0 immediately if spark_udf is in use.

Risk Assessment

Rated High (CVSS 7.0) but real-world exploitability is constrained by local access requirement and high attack complexity. EPSS of 0.00022 reflects low observed exploitation activity. However, multi-tenant ML training environments (shared Spark clusters, data science workbenches) represent a realistic threat surface: a compromised or malicious data scientist account with local access could escalate to root or service account privileges, gaining access to model weights, training data, and pipeline credentials.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →
mlflow	pip	< 2.16.0	`2.16.0`
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Severity & Risk

CVSS 3.1

7.0 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 9% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Local

AC High

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

Patch: Upgrade MLflow to 2.16.0 or later (patch in PR #10874, commit 0b1d995).
Triage: Audit whether spark_udf() is called anywhere in your ML pipelines — if not, risk is negligible.
Restrict: Enforce principle of least privilege on ML training servers; prevent untrusted users from sharing the same OS-level environment as MLflow processes.
Detect: Monitor for unexpected privilege escalation events (sudo, setuid, capability changes) on hosts running MLflow with Spark integration.
Harden: Run MLflow Spark jobs in isolated containers per user/pipeline to eliminate local multi-tenancy risk.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Framework Training Data AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system operation

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI risk MANAGE 2.2 - Mechanisms to sustain and monitor AI risk management plans

Frequently Asked Questions

What is CVE-2024-27134?

MLflow's spark_udf() function creates directories with excessive permissions, enabling a local attacker to exploit a Time-of-Check Time-of-Use (ToCToU) race condition for full privilege escalation. Risk is contained to shared compute environments where untrusted users have local access — but that describes most Spark/ML training clusters. Patch to MLflow 2.16.0 immediately if spark_udf is in use.

Is CVE-2024-27134 actively exploited?

No confirmed active exploitation of CVE-2024-27134 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-27134?

1. Patch: Upgrade MLflow to 2.16.0 or later (patch in PR #10874, commit 0b1d995). 2. Triage: Audit whether spark_udf() is called anywhere in your ML pipelines — if not, risk is negligible. 3. Restrict: Enforce principle of least privilege on ML training servers; prevent untrusted users from sharing the same OS-level environment as MLflow processes. 4. Detect: Monitor for unexpected privilege escalation events (sudo, setuid, capability changes) on hosts running MLflow with Spark integration. 5. Harden: Run MLflow Spark jobs in isolated containers per user/pipeline to eliminate local multi-tenancy risk.

What systems are affected by CVE-2024-27134?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, MLOps platforms, distributed ML compute (Spark), shared data science workbenches.

What is the CVSS score for CVE-2024-27134?

CVE-2024-27134 has a CVSS v3.1 base score of 7.0 (HIGH). The EPSS exploitation probability is 0.03%.

Technical Details

NVD Description

Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called.

Exploitation Scenario

An attacker with a low-privilege account on a shared ML training server (e.g., a data scientist account or compromised service account) waits for a legitimate MLflow process to call spark_udf(). The vulnerable code creates a temporary directory with world-writable or overly permissive settings. The attacker races to replace the directory with a symlink or inject a malicious file between the time-of-check and time-of-use, causing MLflow to write controlled content to an arbitrary privileged path. This enables escalation to the MLflow service account or root, granting access to all ML artifacts, pipeline secrets, and downstream infrastructure.