CVE-2024-1593 Overview
CVE-2024-1593 is a path traversal vulnerability in the mlflow/mlflow repository. The flaw stems from improper handling of URL parameters when the application parses request paths. Attackers can smuggle traversal sequences using the ; (semicolon) character to manipulate the params portion of the URL. This technique bypasses prior fixes that addressed similar traversal vectors. Successful exploitation grants unauthorized access to files or directories on the host running mlflow, leading to information disclosure or potential server compromise. The vulnerability is categorized under CWE-22: Improper Limitation of a Pathname to a Restricted Directory.
Critical Impact
Unauthenticated attackers can read arbitrary files on mlflow servers exposed to the network, exposing model artifacts, credentials, and configuration data.
Affected Products
- lfprojects mlflow (all versions prior to the vendor fix referenced in the advisory)
- MLflow tracking server deployments exposed over HTTP
- Self-hosted MLflow instances accessible without authentication
Discovery Timeline
- 2024-04-16 - CVE-2024-1593 published to the National Vulnerability Database (NVD)
- 2025-02-03 - Last updated in NVD database
Technical Details for CVE-2024-1593
Vulnerability Analysis
The vulnerability resides in how mlflow's HTTP layer parses URL paths and separates them from request parameters. Web frameworks and proxies commonly treat the ; character as a path parameter delimiter per RFC 3986, while application-level routing may treat it differently. This inconsistency allows attackers to smuggle path traversal sequences past validation logic. By embedding ; followed by directory traversal sequences such as ../, an attacker can manipulate the resolved file path used by backend handlers. The result is access to files outside the intended artifact directory. MLflow is widely deployed in machine learning pipelines and frequently stores credentials, datasets, and model binaries that are valuable to attackers.
Root Cause
The root cause is inconsistent URL normalization between the routing layer and the file resolution logic. The parser fails to strip or canonicalize path parameters introduced by the ; character before performing filesystem lookups. This is a variant bypass of earlier traversal fixes in mlflow, indicating insufficient input canonicalization across all URL components.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker crafts an HTTP request to a publicly reachable mlflow endpoint, inserting ; followed by encoded traversal sequences within the URL path or parameter section. The mlflow server resolves the manipulated path against the local filesystem and returns the contents of the targeted file. No verified public proof-of-concept code is available. Refer to the Huntr Vulnerability Bounty disclosure for technical details.
Detection Methods for CVE-2024-1593
Indicators of Compromise
- HTTP request logs containing the ; character followed by ../ or URL-encoded variants such as %2e%2e%2f in mlflow endpoint paths
- Unexpected GET requests to mlflow artifact or model endpoints referencing system paths like /etc/passwd, /proc/self/environ, or configuration files
- Outbound responses from mlflow containing file content unrelated to model artifacts
Detection Strategies
- Deploy web application firewall (WAF) rules that decode and normalize URLs before pattern matching, then flag traversal sequences regardless of ; delimiters
- Inspect mlflow access logs for requests with semicolons in path segments outside of expected parameter use
- Correlate mlflow process file-read activity with HTTP request telemetry to identify reads of files outside the artifact root
Monitoring Recommendations
- Forward mlflow application and access logs to a centralized analytics platform for retention and query
- Alert on anomalous response sizes or content types returned by mlflow endpoints
- Monitor for new external IP addresses connecting to mlflow tracking servers, especially on unauthenticated deployments
How to Mitigate CVE-2024-1593
Immediate Actions Required
- Upgrade mlflow to the latest patched release referenced in the Huntr advisory
- Restrict network exposure of mlflow tracking servers to trusted internal networks or VPN-only access
- Enforce authentication and authorization in front of mlflow using a reverse proxy if the deployment lacks native auth
Patch Information
The vendor lfprojects released a fix addressing the semicolon-based parameter smuggling vector. Operators should review the Huntr Vulnerability Bounty disclosure to identify the fixed version and apply it through pip install --upgrade mlflow. Validate the upgrade in a staging environment before production rollout.
Workarounds
- Place mlflow behind a reverse proxy such as nginx that normalizes URL paths and rejects requests containing ; in path segments
- Run mlflow under a dedicated low-privilege user account with filesystem access limited to the artifact directory
- Apply container-level read-only mounts to prevent the mlflow process from reading sensitive host paths
# nginx configuration to block semicolon-based path smuggling
location / {
if ($request_uri ~* ";") {
return 400;
}
proxy_pass http://mlflow_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
