CVE-2024-3573 — CRITICAL (CVSS 9.3) AI Security Vulnerability

CISO Take

Any internet-exposed MLflow instance is trivially exploitable with no credentials required — attackers can read system files including cloud credentials, API keys, and ML pipeline configs. Patch immediately or network-isolate MLflow; treat all secrets accessible to the MLflow process as compromised. This is not theoretical: a working exploit exists on huntr.

Risk Assessment

Critical risk in practice. CVSS 9.3 with network attack vector, no auth, no user interaction, and scope change (S:C) makes this weaponizable at scale. MLflow is routinely deployed in data science environments with privileged access to cloud provider credentials, model registries, and training infrastructure. High exposure for organizations running self-hosted MLflow without network segmentation, which is common in ML-heavy teams. The scope change implies impact beyond the MLflow process itself — harvested credentials enable lateral movement into cloud accounts and downstream AI infrastructure.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.8K OpenSSF 4.7 624 dependents Pushed today 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

9.3 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 42% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Changed

C High

I Low

A None

Recommended Action

5 steps

PATCH

Apply MLflow commit 438a450714a3ca06285eeea34bdc6cf79d7f6cbc or upgrade to a fixed release immediately.
ISOLATE

If patching is not immediate, restrict MLflow to internal network access only — no internet exposure under any circumstance.
AUDIT

Review MLflow API logs for model version creation requests with unusual 'source' parameters — look for file://, empty scheme URIs, or path traversal sequences (../, %2e%2e).
ROTATE

Assume credentials accessible to the MLflow process are compromised — rotate cloud IAM keys, database passwords, and API tokens.
DETECT

Add SIEM/WAF rules alerting on MLflow API calls with 'source' field containing file://, empty scheme, or path traversal patterns.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Framework AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

Clause 6.1.2 - AI risk assessment Clause 8.4 - AI system operation

NIST AI RMF

GOVERN 6.2 - Policies and procedures address AI risks throughout the lifecycle MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-3573?

Any internet-exposed MLflow instance is trivially exploitable with no credentials required — attackers can read system files including cloud credentials, API keys, and ML pipeline configs. Patch immediately or network-isolate MLflow; treat all secrets accessible to the MLflow process as compromised. This is not theoretical: a working exploit exists on huntr.

Is CVE-2024-3573 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-3573, increasing the risk of exploitation.

How to fix CVE-2024-3573?

1. PATCH: Apply MLflow commit 438a450714a3ca06285eeea34bdc6cf79d7f6cbc or upgrade to a fixed release immediately. 2. ISOLATE: If patching is not immediate, restrict MLflow to internal network access only — no internet exposure under any circumstance. 3. AUDIT: Review MLflow API logs for model version creation requests with unusual 'source' parameters — look for file://, empty scheme URIs, or path traversal sequences (../, %2e%2e). 4. ROTATE: Assume credentials accessible to the MLflow process are compromised — rotate cloud IAM keys, database passwords, and API tokens. 5. DETECT: Add SIEM/WAF rules alerting on MLflow API calls with 'source' field containing file://, empty scheme, or path traversal patterns.

What systems are affected by CVE-2024-3573?

This vulnerability affects the following AI/ML architecture patterns: MLflow experiment tracking deployments, model registry, training pipelines, ML platform infrastructure, model serving.

What is the CVSS score for CVE-2024-3573?

CVE-2024-3573 has a CVSS v3.1 base score of 9.3 (CRITICAL). The EPSS exploitation probability is 0.20%.

Technical Details

NVD Description

mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the misclassification of URIs as non-local. Attackers can exploit this by crafting malicious model versions with specially crafted 'source' parameters, enabling the reading of sensitive files within at least two directory levels from the server's root.

Exploitation Scenario

An attacker scans Shodan/Censys for internet-exposed MLflow tracking servers (common in data science teams that deploy without authentication). They send a POST to /api/2.0/mlflow/model-versions/create with a crafted 'source' parameter using an empty scheme or file:// URI. The is_local_uri check misclassifies the URI as non-local and MLflow processes it, returning file contents in the response. The attacker iterates: reads /proc/self/environ for environment variables containing API keys, reads ~/.aws/credentials for cloud credentials, reads MLflow's own .env for database passwords. With cloud credentials in hand, they pivot to S3 to exfiltrate model weights and training datasets, or escalate privileges in the cloud account.