AI Threat Alert AI Threat Alert

CVE-2024-8859: MLflow: path traversal allows arbitrary file read via DBFS

GHSA-4rqf-8pfm-p36r HIGH PoC AVAILABLE CISA: TRACK*
Published March 20, 2025
CISO Take

Any MLflow deployment with DBFS configured and network-accessible is vulnerable to unauthenticated arbitrary file reads — no credentials required. An attacker can exfiltrate model weights, credentials, API keys, and config files stored on the host. Patch to 2.17.0rc0+ immediately or disable DBFS if not in use.

Risk Assessment

High risk for MLOps teams running MLflow with DBFS enabled. CVSS 7.5 with zero authentication required (AV:N/AC:L/PR:N/UI:N) means this is trivially exploitable over the network. EPSS of 0.269 indicates ~27% exploitation probability within 30 days. A public PoC exists on huntr.com. MLflow servers are often deployed internally but many teams expose them on corporate networks or cloud VPCs with permissive security groups — significantly expanding the attack surface beyond what CVSS alone suggests.

Affected Systems

Package Ecosystem Vulnerable Range Patched
mlflow pip No patch
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →
mlflow pip < 2.17.0rc0 2.17.0rc0
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
25.7%
chance of exploitation in 30 days
Higher than 96% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
EPSS exploit prediction: 26%
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I None
A None

Recommended Action

6 steps

  1. PATCH

    Upgrade to mlflow>=2.17.0rc0 immediately. The fix is in commit 7791b8cdd595f21b5f179c7b17e4b5eb5cbbe654.

  2. WORKAROUND

    If patching is not immediately possible, disable DBFS service or restrict MLflow network access to trusted IPs only via firewall/security groups.

  3. AUDIT

    Review what files are readable by the MLflow process user — apply principle of least privilege.

  4. ROTATE

    Assume any credentials, API keys, or secrets on the MLflow host may be compromised if the server was publicly accessible.

  5. DETECT

    Check web/application logs for requests containing path traversal sequences (../, %2e%2e, %252e) in DBFS-related endpoints.

  6. SCAN

    Inventory all MLflow instances in your environment; shadow IT ML servers are common in data science teams.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Data Leakage Framework Training Data AML.T0025 AML.T0035 AML.T0037 AML.T0049 AML.T0055

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk Management System
ISO 42001
A.6.1 - Risk management for AI systems A.8.2 - Information security in AI system lifecycle
NIST AI RMF
GOVERN-6.2 - Organizational policies for AI risk management MANAGE-2.2 - Scientific and technological risks are monitored

Frequently Asked Questions

What is CVE-2024-8859?

Any MLflow deployment with DBFS configured and network-accessible is vulnerable to unauthenticated arbitrary file reads — no credentials required. An attacker can exfiltrate model weights, credentials, API keys, and config files stored on the host. Patch to 2.17.0rc0+ immediately or disable DBFS if not in use.

Is CVE-2024-8859 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-8859, increasing the risk of exploitation.

How to fix CVE-2024-8859?

1. PATCH: Upgrade to mlflow>=2.17.0rc0 immediately. The fix is in commit 7791b8cdd595f21b5f179c7b17e4b5eb5cbbe654. 2. WORKAROUND: If patching is not immediately possible, disable DBFS service or restrict MLflow network access to trusted IPs only via firewall/security groups. 3. AUDIT: Review what files are readable by the MLflow process user — apply principle of least privilege. 4. ROTATE: Assume any credentials, API keys, or secrets on the MLflow host may be compromised if the server was publicly accessible. 5. DETECT: Check web/application logs for requests containing path traversal sequences (../, %2e%2e, %252e) in DBFS-related endpoints. 6. SCAN: Inventory all MLflow instances in your environment; shadow IT ML servers are common in data science teams.

What systems are affected by CVE-2024-8859?

This vulnerability affects the following AI/ML architecture patterns: MLOps pipelines, model training pipelines, model registries, experiment tracking systems, CI/CD ML pipelines.

What is the CVSS score for CVE-2024-8859?

CVE-2024-8859 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 25.69%.

Technical Details

NVD Description

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while parts such as query and parameters are not handled. The vulnerability is triggered if the user has configured the dbfs service, and during usage, the service is mounted to a local directory.

Exploitation Scenario

An adversary scans for exposed MLflow instances (default port 5000/5001) via Shodan or internal network scanning. They identify a deployment with DBFS configured and mounted to the host filesystem. They craft a malicious URL that passes path traversal sequences in the query parameter rather than the path component — bypassing MLflow's incomplete path validation — and issue a GET request like: `GET /api/2.0/dbfs/read?path=../../../../../../etc/passwd`. The server follows the file:// protocol with the unsanitized input and returns the file contents. The attacker iterates to read ~/.aws/credentials, .env files, or MLflow's own database connection config, extracting cloud keys or database passwords to pivot deeper into the ML infrastructure.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-29 Path Traversal: '..filename' Primary CWE-29

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
March 20, 2025
Last Modified
August 5, 2025
First Seen
March 20, 2025

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed