AI Threat Alert AI Threat Alert

CVE-2024-3848: MLflow: URL fragment bypass leaks SSH and cloud keys

HIGH PoC AVAILABLE NUCLEI TEMPLATE CISA: TRACK*
Published May 16, 2024
CISO Take

MLflow 2.11.0 allows unauthenticated remote attackers to read arbitrary files—including SSH private keys and cloud provider credentials—by manipulating artifact URL fragments to bypass path validation. This is a confirmed bypass of a previously patched CVE (CVE-2023-6909), indicating incomplete remediation in the prior fix. Patch immediately to the latest MLflow release, rotate any credentials accessible from the MLflow server filesystem, and restrict network exposure of all MLflow instances.

Risk Assessment

High risk for organizations running externally-exposed MLflow. CVSS 7.5 with no authentication required, no user interaction, and network accessibility makes this trivially exploitable by any attacker who can reach the service. The real-world blast radius exceeds the CVSS score: ML infrastructure typically co-locates cloud provider credentials (AWS, GCP, Azure), SSH keys, and service account tokens alongside MLflow, enabling full cloud environment compromise from a single file-read primitive.

Affected Systems

Package Ecosystem Vulnerable Range Patched
mlflow pip No patch
25.8K OpenSSF 4.5 624 dependents Pushed today 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
78.7%
chance of exploitation in 30 days
Higher than 99% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Nuclei detection template available
EPSS exploit prediction: 79%
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I None
A None

Recommended Action

5 steps

  1. Patch: Apply the fix in commit f8d51e21523238280ebcfdb378612afd7844eca8 or upgrade to a MLflow version released after 2024-05-16 which includes this patch.

  2. Network isolation: Restrict MLflow UI and API access to trusted internal networks only—MLflow should never be internet-exposed.

  3. Credential rotation: If the MLflow host was externally accessible, assume credential compromise; rotate SSH keys, cloud API keys, and all secrets on the host.

  4. Detection: Monitor MLflow access logs for artifact URL requests containing '#' characters, '%23' encoding, or path traversal sequences ('..', '%2e%2e'). Alert on requests accessing paths outside the artifact root.

  5. Least privilege: Run MLflow under a dedicated service account with read access scoped strictly to the artifact storage directory.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Framework AML.T0025 AML.T0037 AML.T0049 AML.T0055

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.8.4 - AI system security testing A.9.1 - AI system access control
NIST AI RMF
GOVERN 6.1 - Policies and procedures for AI risk management MANAGE 2.2 - Mechanisms to manage AI risks are in place
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-3848?

MLflow 2.11.0 allows unauthenticated remote attackers to read arbitrary files—including SSH private keys and cloud provider credentials—by manipulating artifact URL fragments to bypass path validation. This is a confirmed bypass of a previously patched CVE (CVE-2023-6909), indicating incomplete remediation in the prior fix. Patch immediately to the latest MLflow release, rotate any credentials accessible from the MLflow server filesystem, and restrict network exposure of all MLflow instances.

Is CVE-2024-3848 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-3848, increasing the risk of exploitation.

How to fix CVE-2024-3848?

1. Patch: Apply the fix in commit f8d51e21523238280ebcfdb378612afd7844eca8 or upgrade to a MLflow version released after 2024-05-16 which includes this patch. 2. Network isolation: Restrict MLflow UI and API access to trusted internal networks only—MLflow should never be internet-exposed. 3. Credential rotation: If the MLflow host was externally accessible, assume credential compromise; rotate SSH keys, cloud API keys, and all secrets on the host. 4. Detection: Monitor MLflow access logs for artifact URL requests containing '#' characters, '%23' encoding, or path traversal sequences ('..', '%2e%2e'). Alert on requests accessing paths outside the artifact root. 5. Least privilege: Run MLflow under a dedicated service account with read access scoped strictly to the artifact storage directory.

What systems are affected by CVE-2024-3848?

This vulnerability affects the following AI/ML architecture patterns: ML experiment tracking platforms, Model registry, Training pipelines, MLOps infrastructure, CI/CD pipelines with ML components.

What is the CVSS score for CVE-2024-3848?

CVE-2024-3848 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 78.67%.

Technical Details

NVD Description

A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitrary files, including sensitive information such as SSH and cloud keys, by exploiting the way the application converts the URL into a filesystem path. The issue stems from insufficient validation of the fragment portion of the URL, leading to arbitrary file read through path traversal.

Exploitation Scenario

An adversary scans for exposed MLflow instances on default ports (5000, 5001) or behind reverse proxies using Shodan or similar OSINT tools. With zero authentication required, they craft an artifact fetch request with a URL such as: GET /api/2.0/mlflow/artifacts/get?artifact_uri=http://attacker.com#/root/.ssh/id_rsa. The '#' fragment causes MLflow's URL parser to discard the scheme validation and resolve the fragment portion as a local filesystem path, returning the file contents directly in the HTTP response. The attacker systematically reads ~/.aws/credentials, ~/.config/gcloud/credentials.db, and /etc/passwd to harvest credentials, then pivots to compromise the organization's cloud infrastructure, model registry, or training data stores.

Weaknesses (CWE)

CWE-22 Primary CWE-29

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
May 16, 2024
Last Modified
January 24, 2025
First Seen
May 16, 2024

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2024/CVE-2024-3848.yaml -u https://target.example.com

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed