CVE-2024-8859: MLflow path traversal

CISO Take

Any MLflow deployment with DBFS configured and network-accessible is vulnerable to unauthenticated arbitrary file reads — no credentials required. An attacker can exfiltrate model weights, credentials, API keys, and config files stored on the host. Patch to 2.17.0rc0+ immediately or disable DBFS if not in use.

What is the risk?

High risk for MLOps teams running MLflow with DBFS enabled. CVSS 7.5 with zero authentication required (AV:N/AC:L/PR:N/UI:N) means this is trivially exploitable over the network. EPSS of 0.269 indicates ~27% exploitation probability within 30 days. A public PoC exists on huntr.com. MLflow servers are often deployed internally but many teams expose them on corporate networks or cloud VPCs with permissive security groups — significantly expanding the attack surface beyond what CVSS alone suggests.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
MLflow	pip	—	No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →
MLflow	pip	< 2.17.0rc0	`2.17.0rc0`
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

2.5%

chance of exploitation in 30 days

Higher than 83% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

6 steps

PATCH

Upgrade to mlflow>=2.17.0rc0 immediately. The fix is in commit 7791b8cdd595f21b5f179c7b17e4b5eb5cbbe654.
WORKAROUND

If patching is not immediately possible, disable DBFS service or restrict MLflow network access to trusted IPs only via firewall/security groups.
AUDIT

Review what files are readable by the MLflow process user — apply principle of least privilege.
ROTATE

Assume any credentials, API keys, or secrets on the MLflow host may be compromised if the server was publicly accessible.
DETECT

Check web/application logs for requests containing path traversal sequences (../, %2e%2e, %252e) in DBFS-related endpoints.
SCAN

Inventory all MLflow instances in your environment; shadow IT ML servers are common in data science teams.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Data Leakage Framework Training Data AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk Management System

ISO 42001

A.6.1 - Risk management for AI systems A.8.2 - Information security in AI system lifecycle

NIST AI RMF

GOVERN-6.2 - Organizational policies for AI risk management MANAGE-2.2 - Scientific and technological risks are monitored

Frequently Asked Questions

What is CVE-2024-8859?

Any MLflow deployment with DBFS configured and network-accessible is vulnerable to unauthenticated arbitrary file reads — no credentials required. An attacker can exfiltrate model weights, credentials, API keys, and config files stored on the host. Patch to 2.17.0rc0+ immediately or disable DBFS if not in use.

Is CVE-2024-8859 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-8859, increasing the risk of exploitation.

How to fix CVE-2024-8859?

1. PATCH: Upgrade to mlflow>=2.17.0rc0 immediately. The fix is in commit 7791b8cdd595f21b5f179c7b17e4b5eb5cbbe654. 2. WORKAROUND: If patching is not immediately possible, disable DBFS service or restrict MLflow network access to trusted IPs only via firewall/security groups. 3. AUDIT: Review what files are readable by the MLflow process user — apply principle of least privilege. 4. ROTATE: Assume any credentials, API keys, or secrets on the MLflow host may be compromised if the server was publicly accessible. 5. DETECT: Check web/application logs for requests containing path traversal sequences (../, %2e%2e, %252e) in DBFS-related endpoints. 6. SCAN: Inventory all MLflow instances in your environment; shadow IT ML servers are common in data science teams.

What systems are affected by CVE-2024-8859?

This vulnerability affects the following AI/ML architecture patterns: MLOps pipelines, model training pipelines, model registries, experiment tracking systems, CI/CD ML pipelines.

What is the CVSS score for CVE-2024-8859?

CVE-2024-8859 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 2.50%.

What is the AI security impact?

Affected AI Architectures

MLOps pipelinesmodel training pipelinesmodel registriesexperiment tracking systemsCI/CD ML pipelines

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.1, A.8.2

NIST AI RMF: GOVERN-6.2, MANAGE-2.2

What are the technical details?

Original Advisory

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while parts such as query and parameters are not handled. The vulnerability is triggered if the user has configured the dbfs service, and during usage, the service is mounted to a local directory.

Exploitation Scenario

An adversary scans for exposed MLflow instances (default port 5000/5001) via Shodan or internal network scanning. They identify a deployment with DBFS configured and mounted to the host filesystem. They craft a malicious URL that passes path traversal sequences in the query parameter rather than the path component — bypassing MLflow's incomplete path validation — and issue a GET request like: `GET /api/2.0/dbfs/read?path=../../../../../../etc/passwd`. The server follows the file:// protocol with the unsanitized input and returns the file contents. The attacker iterates to read ~/.aws/credentials, .env files, or MLflow's own database connection config, extracting cloud keys or database passwords to pivot deeper into the ML infrastructure.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-29 Path Traversal: '..filename' Primary CWE-29 Path Traversal: '\..\filename'

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.