CVE-2024-8859
published 2025-03-20CVE-2024-8859: A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the…
PriorityP355high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.50%
82.7th percentile
A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while parts such as query and parameters are not handled. The vulnerability is triggered if the user has configured the dbfs service, and during usage, the service is mounted to a local directory.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lfprojects | mlflow | — | — |
| lfprojects | mlflow | >= 0 < 2.17.0rc0 | 2.17.0rc0 |
| mlflow | mlflow_mlflow | >= unspecified < 2.17.0 | 2.17.0 |
Detection & IOCsextracted from sources · hover to see the quote
command{"name": "{{randstr}}", "source": "dbfs:/{{RUN_ID}}/artifacts/a%3f/../../../../../../../../../../../../"}↗
yara↗
regex: root:.*:0:0:
- →Exploit chain starts with creating an MLflow experiment with artifact_location set to 'dbfs:/' — monitor POST requests to /ajax-api/2.0/mlflow/experiments/create containing 'dbfs:/' in the body. ↗
- →Path traversal payload is delivered via the 'source' field in model-versions/create using URL-encoded '?' (%3f) followed by directory traversal sequences — detect 'a%3f' combined with '../' sequences in POST body to /ajax-api/2.0/mlflow/model-versions/create. ↗
- →Final LFI read is triggered via GET /model-versions/get-artifact with 'path=etc/passwd' — monitor for requests to this endpoint with sensitive file paths in the 'path' parameter. ↗
- →The vulnerability is triggered only when the dbfs service is configured and mounted to a local directory — only instances with dbfs configured are exploitable. ↗
- →Upload-artifact endpoint is abused with a query-string injection in the path parameter ('path=a?/a') to plant a file at a traversable location — detect '?' characters in the 'path' query parameter of /ajax-api/2.0/mlflow/upload-artifact. ↗
- →Shodan/FOFA fingerprint for exposed MLflow instances: HTTP title 'mlflow' — use as a pre-exploitation surface discovery indicator. ↗
- →Root cause: only the path part of the URL is validated; query and parameter parts are not sanitised — detection logic should inspect full URL including query string for traversal sequences on dbfs-backed endpoints. ↗
- ·Exploitation requires the dbfs service to be configured and mounted to a local directory — instances without dbfs configured are not vulnerable. ↗
- ·Affected version is mlflow 2.15.1 and below; the fix is present in 2.17.0 — version checks should target the range < 2.17.0. ↗
- ·The Nuclei template is marked 'intrusive' — running it against production systems will create and delete experiments and model versions as side effects of the exploit chain. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
MLflow has a Local File Read/Path Traversal in dbfs
osv·2025-03-20
CVE-2024-8859 [HIGH] MLflow has a Local File Read/Path Traversal in dbfs
MLflow has a Local File Read/Path Traversal in dbfs
A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while parts such as query and parameters are not handled. The vulnerability is triggered if the user has configured the dbfs service, and during usage, the service is mounted to a local directory.
GHSA
MLflow has a Local File Read/Path Traversal in dbfs
ghsa·2025-03-20
CVE-2024-8859 [HIGH] CWE-22 MLflow has a Local File Read/Path Traversal in dbfs
MLflow has a Local File Read/Path Traversal in dbfs
A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while parts such as query and parameters are not handled. The vulnerability is triggered if the user has configured the dbfs service, and during usage, the service is mounted to a local directory.
No detection rules found.
Nuclei
Mlflow < 2.17.0 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2024-8859 [HIGH] Mlflow < 2.17.0 - Local File Inclusion
Mlflow < 2.17.0 - Local File Inclusion
Mlflow before 2.17.0 is susceptible to local file inclusion due to path traversal in GitHub repository mlflow/mlflow. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Template:
id: CVE-2024-8859
info:
name: Mlflow < 2.17.0 - Local File Inclusion
author: gy741
severity: critical
description: |
Mlflow before 2.17.0 is susceptible to local file inclusion due to path traversal in GitHub repository mlflow/mlflow. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
impact: |
Successful exploitation could allow an attacker to read sens
No writeups or analysis indexed.
2025-03-20
Published