AI Threat Alert

CVE-2024-3573: MLflow: LFI via URI parsing allows arbitrary file read

CRITICAL PoC AVAILABLE CISA: TRACK*
Published April 16, 2024
CISO Take

Any internet-exposed MLflow instance is trivially exploitable with no credentials required — attackers can read system files including cloud credentials, API keys, and ML pipeline configs. Patch immediately or network-isolate MLflow; treat all secrets accessible to the MLflow process as compromised. This is not theoretical: a working exploit exists on huntr.

What is the risk?

Critical risk in practice. CVSS 9.3 with network attack vector, no auth, no user interaction, and scope change (S:C) makes this weaponizable at scale. MLflow is routinely deployed in data science environments with privileged access to cloud provider credentials, model registries, and training infrastructure. High exposure for organizations running self-hosted MLflow without network segmentation, which is common in ML-heavy teams. The scope change implies impact beyond the MLflow process itself — harvested credentials enable lateral movement into cloud accounts and downstream AI infrastructure.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
MLflow pip No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1
9.3 / 10
EPSS
0.7%
chance of exploitation in 30 days
Higher than 50% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Changed
C High
I Low
A None

What should I do?

5 steps

  1. PATCH

    Apply MLflow commit 438a450714a3ca06285eeea34bdc6cf79d7f6cbc or upgrade to a fixed release immediately.

  2. ISOLATE

    If patching is not immediate, restrict MLflow to internal network access only — no internet exposure under any circumstance.

  3. AUDIT

    Review MLflow API logs for model version creation requests with unusual 'source' parameters — look for file://, empty scheme URIs, or path traversal sequences (../, %2e%2e).

  4. ROTATE

    Assume credentials accessible to the MLflow process are compromised — rotate cloud IAM keys, database passwords, and API tokens.

  5. DETECT

    Add SIEM/WAF rules alerting on MLflow API calls with 'source' field containing file://, empty scheme, or path traversal patterns.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Framework AML.T0010.001 AML.T0025 AML.T0035 AML.T0037 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
Clause 6.1.2 - AI risk assessment Clause 8.4 - AI system operation
NIST AI RMF
GOVERN 6.2 - Policies and procedures address AI risks throughout the lifecycle MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-3573?

Any internet-exposed MLflow instance is trivially exploitable with no credentials required — attackers can read system files including cloud credentials, API keys, and ML pipeline configs. Patch immediately or network-isolate MLflow; treat all secrets accessible to the MLflow process as compromised. This is not theoretical: a working exploit exists on huntr.

Is CVE-2024-3573 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-3573, increasing the risk of exploitation.

How to fix CVE-2024-3573?

1. PATCH: Apply MLflow commit 438a450714a3ca06285eeea34bdc6cf79d7f6cbc or upgrade to a fixed release immediately. 2. ISOLATE: If patching is not immediate, restrict MLflow to internal network access only — no internet exposure under any circumstance. 3. AUDIT: Review MLflow API logs for model version creation requests with unusual 'source' parameters — look for file://, empty scheme URIs, or path traversal sequences (../, %2e%2e). 4. ROTATE: Assume credentials accessible to the MLflow process are compromised — rotate cloud IAM keys, database passwords, and API tokens. 5. DETECT: Add SIEM/WAF rules alerting on MLflow API calls with 'source' field containing file://, empty scheme, or path traversal patterns.

What systems are affected by CVE-2024-3573?

This vulnerability affects the following AI/ML architecture patterns: MLflow experiment tracking deployments, model registry, training pipelines, ML platform infrastructure, model serving.

What is the CVSS score for CVE-2024-3573?

CVE-2024-3573 has a CVSS v3.1 base score of 9.3 (CRITICAL). The EPSS exploitation probability is 0.73%.

What is the AI security impact?

Affected AI Architectures

MLflow experiment tracking deploymentsmodel registrytraining pipelinesML platform infrastructuremodel serving

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: Clause 6.1.2, Clause 8.4
NIST AI RMF: GOVERN 6.2, MANAGE 2.2
OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the misclassification of URIs as non-local. Attackers can exploit this by crafting malicious model versions with specially crafted 'source' parameters, enabling the reading of sensitive files within at least two directory levels from the server's root.

Exploitation Scenario

An attacker scans Shodan/Censys for internet-exposed MLflow tracking servers (common in data science teams that deploy without authentication). They send a POST to /api/2.0/mlflow/model-versions/create with a crafted 'source' parameter using an empty scheme or file:// URI. The is_local_uri check misclassifies the URI as non-local and MLflow processes it, returning file contents in the response. The attacker iterates: reads /proc/self/environ for environment variables containing API keys, reads ~/.aws/credentials for cloud credentials, reads MLflow's own .env for database passwords. With cloud credentials in hand, they pivot to S3 to exfiltrate model weights and training datasets, or escalate privileges in the cloud account.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-29 Path Traversal: '\..\filename'

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

References

Timeline

Published
April 16, 2024
Last Modified
February 3, 2025
First Seen
April 16, 2024

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed