CVE-2024-1483 Overview
CVE-2024-1483 is a path traversal vulnerability [CWE-22] affecting mlflow/mlflow version 2.9.2. The flaw lets remote, unauthenticated attackers read arbitrary files from the host running the MLflow tracking server. Attackers exploit the issue by sending crafted HTTP POST requests that supply malicious artifact_location and source parameters. The payloads use a local URI containing # instead of ?, bypassing server-side parsing checks and traversing the filesystem. The vulnerability stems from insufficient validation of user-supplied input inside MLflow request handlers.
Critical Impact
Unauthenticated network attackers can read arbitrary files from MLflow servers, exposing model artifacts, credentials, and configuration secrets.
Affected Products
- LF Projects MLflow 2.9.2
- MLflow tracking server deployments exposing the REST API
- Self-hosted MLflow instances using local artifact storage
Discovery Timeline
- 2024-04-16 - CVE-2024-1483 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-1483
Vulnerability Analysis
MLflow exposes REST endpoints that accept user-controlled location strings when registering experiments, runs, and models. Two parameters, artifact_location and source, are parsed as URIs and later resolved to filesystem paths. The handler logic strips query strings using the ? delimiter but fails to handle the fragment delimiter # consistently. Attackers exploit this parser asymmetry to smuggle traversal sequences past validation checks. The server then dereferences the manipulated URI and returns or writes file contents outside the intended artifact directory.
The EPSS score for CVE-2024-1483 is 2.718% with a percentile of 84.092, indicating measurable interest among scanning and exploitation tooling.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. MLflow normalizes user input as a URI but does not canonicalize the resulting filesystem path against an allowlisted base directory. The handler trusts the parsed URI components and concatenates them into a path passed to file I/O routines. Sequences such as ../ survive validation when embedded after a # fragment marker.
Attack Vector
The attack vector is network based and requires no authentication or user interaction. An attacker sends a sequence of HTTP POST requests to the MLflow tracking server. Each request supplies an artifact_location or source value crafted as a file:// URI with traversal sequences placed after a # character. The server resolves the URI, walks out of the artifact root, and exposes arbitrary files such as /etc/passwd, SSH keys, or cloud provider credentials stored on the host.
No verified public exploit code is available. See the Huntr Bounty Listing for the original technical writeup.
Detection Methods for CVE-2024-1483
Indicators of Compromise
- HTTP POST requests to /api/2.0/mlflow/experiments/create or /api/2.0/mlflow/runs/log-model containing # fragments and ../ sequences in artifact_location or source parameters.
- MLflow access logs showing successful 200 responses for requests referencing file:// URIs pointing outside the configured artifact root.
- Unexpected reads of sensitive files such as /etc/passwd, ~/.aws/credentials, or id_rsa originating from the MLflow service account.
Detection Strategies
- Inspect MLflow application logs for request bodies containing file:// schemes combined with # fragments or encoded traversal sequences (%2e%2e%2f).
- Deploy WAF or reverse proxy rules that reject requests where artifact_location or source fields contain .., #, or non-allowlisted URI schemes.
- Correlate MLflow process file-open events with the configured artifact directory to identify out-of-bounds reads.
Monitoring Recommendations
- Forward MLflow server access logs and host-level file access telemetry to a centralized SIEM for retroactive hunting.
- Alert on any process spawned by the MLflow service that touches credential stores, SSH directories, or cloud metadata mounts.
- Track MLflow API request volumes and flag sustained POSTs from a single source to experiment or model creation endpoints.
How to Mitigate CVE-2024-1483
Immediate Actions Required
- Upgrade MLflow to a version later than 2.9.2 that addresses the path traversal in artifact_location and source handling.
- Restrict network exposure of the MLflow tracking server to trusted networks or place it behind an authenticating reverse proxy.
- Audit MLflow host filesystems for evidence of sensitive file disclosure during the exposure window.
Patch Information
Upgrade mlflow to the latest release published after the disclosure documented in the Huntr Bounty Listing. Verify the installed version with pip show mlflow and rebuild any container images that pin version 2.9.2.
Workarounds
- Run the MLflow tracking server as an unprivileged user inside a container with a read-only root filesystem and no access to host credentials.
- Configure MLflow to use remote artifact stores such as S3 or Azure Blob and disable local file:// URI handling at the proxy layer.
- Enforce a WAF rule that rejects requests whose JSON bodies contain file://, #, or .. in fields known to accept artifact locations.
# Upgrade MLflow and validate the installed version
pip install --upgrade mlflow
pip show mlflow | grep -i version
# Example nginx rule to block file:// URIs in MLflow requests
location /api/2.0/mlflow/ {
if ($request_body ~* "file://") { return 403; }
proxy_pass http://mlflow_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
