cbcvebase.
CVE-2024-8859
published 2025-03-20

CVE-2024-8859: A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the…

PriorityP355high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.50%
82.7th percentile
A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while parts such as query and parameters are not handled. The vulnerability is triggered if the user has configured the dbfs service, and during usage, the service is mounted to a local directory.

Affected

3 ranges
VendorProductVersion rangeFixed in
lfprojectsmlflow
lfprojectsmlflow>= 0 < 2.17.0rc02.17.0rc0
mlflowmlflow_mlflow>= unspecified < 2.17.02.17.0

Detection & IOCsextracted from sources · hover to see the quote

url/ajax-api/2.0/mlflow/experiments/create
url/ajax-api/2.0/mlflow/upload-artifact?run_uuid={{RUN_ID}}&path=a?/a
url/model-versions/get-artifact?name={{randstr}}&version=1&path=etc/passwd
command{"name": "{{randstr}}", "artifact_location": "dbfs:/"}
command{"name": "{{randstr}}", "source": "dbfs:/{{RUN_ID}}/artifacts/a%3f/../../../../../../../../../../../../"}
patha%3f/../../../../../../../../../../../../
yara
regex: root:.*:0:0:
  • Exploit chain starts with creating an MLflow experiment with artifact_location set to 'dbfs:/' — monitor POST requests to /ajax-api/2.0/mlflow/experiments/create containing 'dbfs:/' in the body.
  • Path traversal payload is delivered via the 'source' field in model-versions/create using URL-encoded '?' (%3f) followed by directory traversal sequences — detect 'a%3f' combined with '../' sequences in POST body to /ajax-api/2.0/mlflow/model-versions/create.
  • Final LFI read is triggered via GET /model-versions/get-artifact with 'path=etc/passwd' — monitor for requests to this endpoint with sensitive file paths in the 'path' parameter.
  • The vulnerability is triggered only when the dbfs service is configured and mounted to a local directory — only instances with dbfs configured are exploitable.
  • Upload-artifact endpoint is abused with a query-string injection in the path parameter ('path=a?/a') to plant a file at a traversable location — detect '?' characters in the 'path' query parameter of /ajax-api/2.0/mlflow/upload-artifact.
  • Shodan/FOFA fingerprint for exposed MLflow instances: HTTP title 'mlflow' — use as a pre-exploitation surface discovery indicator.
  • Root cause: only the path part of the URL is validated; query and parameter parts are not sanitised — detection logic should inspect full URL including query string for traversal sequences on dbfs-backed endpoints.
  • ·Exploitation requires the dbfs service to be configured and mounted to a local directory — instances without dbfs configured are not vulnerable.
  • ·Affected version is mlflow 2.15.1 and below; the fix is present in 2.17.0 — version checks should target the range < 2.17.0.
  • ·The Nuclei template is marked 'intrusive' — running it against production systems will create and delete experiments and model versions as side effects of the exploit chain.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.