CVE-2024-3848: MLflow URL fragment bypass leaks SSH

CISO Take

MLflow 2.11.0 allows unauthenticated remote attackers to read arbitrary files—including SSH private keys and cloud provider credentials—by manipulating artifact URL fragments to bypass path validation. This is a confirmed bypass of a previously patched CVE (CVE-2023-6909), indicating incomplete remediation in the prior fix. Patch immediately to the latest MLflow release, rotate any credentials accessible from the MLflow server filesystem, and restrict network exposure of all MLflow instances.

What is the risk?

High risk for organizations running externally-exposed MLflow. CVSS 7.5 with no authentication required, no user interaction, and network accessibility makes this trivially exploitable by any attacker who can reach the service. The real-world blast radius exceeds the CVSS score: ML infrastructure typically co-locates cloud provider credentials (AWS, GCP, Azure), SSH keys, and service account tokens alongside MLflow, enabling full cloud environment compromise from a single file-read primitive.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
MLflow	pip	—	No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

43.3%

chance of exploitation in 30 days

Higher than 99% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

○ EPSS exploit prediction: 43%

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

5 steps

Patch: Apply the fix in commit f8d51e21523238280ebcfdb378612afd7844eca8 or upgrade to a MLflow version released after 2024-05-16 which includes this patch.
Network isolation: Restrict MLflow UI and API access to trusted internal networks only—MLflow should never be internet-exposed.
Credential rotation: If the MLflow host was externally accessible, assume credential compromise; rotate SSH keys, cloud API keys, and all secrets on the host.
Detection: Monitor MLflow access logs for artifact URL requests containing '#' characters, '%23' encoding, or path traversal sequences ('..', '%2e%2e'). Alert on requests accessing paths outside the artifact root.
Least privilege: Run MLflow under a dedicated service account with read access scoped strictly to the artifact storage directory.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Framework AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.8.4 - AI system security testing A.9.1 - AI system access control

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI risk management MANAGE 2.2 - Mechanisms to manage AI risks are in place

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-3848?

MLflow 2.11.0 allows unauthenticated remote attackers to read arbitrary files—including SSH private keys and cloud provider credentials—by manipulating artifact URL fragments to bypass path validation. This is a confirmed bypass of a previously patched CVE (CVE-2023-6909), indicating incomplete remediation in the prior fix. Patch immediately to the latest MLflow release, rotate any credentials accessible from the MLflow server filesystem, and restrict network exposure of all MLflow instances.

Is CVE-2024-3848 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-3848, increasing the risk of exploitation.

How to fix CVE-2024-3848?

1. Patch: Apply the fix in commit f8d51e21523238280ebcfdb378612afd7844eca8 or upgrade to a MLflow version released after 2024-05-16 which includes this patch. 2. Network isolation: Restrict MLflow UI and API access to trusted internal networks only—MLflow should never be internet-exposed. 3. Credential rotation: If the MLflow host was externally accessible, assume credential compromise; rotate SSH keys, cloud API keys, and all secrets on the host. 4. Detection: Monitor MLflow access logs for artifact URL requests containing '#' characters, '%23' encoding, or path traversal sequences ('..', '%2e%2e'). Alert on requests accessing paths outside the artifact root. 5. Least privilege: Run MLflow under a dedicated service account with read access scoped strictly to the artifact storage directory.

What systems are affected by CVE-2024-3848?

This vulnerability affects the following AI/ML architecture patterns: ML experiment tracking platforms, Model registry, Training pipelines, MLOps infrastructure, CI/CD pipelines with ML components.

What is the CVSS score for CVE-2024-3848?

CVE-2024-3848 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 43.28%.

What is the AI security impact?

Affected AI Architectures

ML experiment tracking platformsModel registryTraining pipelinesMLOps infrastructureCI/CD pipelines with ML components

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.8.4, A.9.1

NIST AI RMF: GOVERN 6.1, MANAGE 2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal.

Exploitation Scenario

An adversary scans for exposed MLflow instances on default ports (5000, 5001) or behind reverse proxies using Shodan or similar OSINT tools. With zero authentication required, they craft an artifact fetch request with a URL such as: GET /api/2.0/mlflow/artifacts/get?artifact_uri=http://attacker.com#/root/.ssh/id_rsa. The '#' fragment causes MLflow's URL parser to discard the scheme validation and resolve the fragment portion as a local filesystem path, returning the file contents directly in the HTTP response. The attacker systematically reads ~/.aws/credentials, ~/.config/gcloud/credentials.db, and /etc/passwd to harvest credentials, then pivots to compromise the organization's cloud infrastructure, model registry, or training data stores.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-29 Path Traversal: '\..\filename'

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.