CVE-2024-2083 Overview
CVE-2024-2083 is a directory traversal vulnerability in the zenml-io/zenml repository, an open-source MLOps framework. The flaw resides in the /api/v1/steps endpoint, where the logs URI path parameter is not validated against directory traversal sequences. Authenticated attackers can manipulate the parameter to retrieve arbitrary files from the host filesystem, bypassing the artifact store isolation boundary. The vulnerability is tracked under CWE-29: Path Traversal: '..\filename'.
Critical Impact
Authenticated attackers can read arbitrary files from the ZenML server, including configuration files, credentials, and secrets stored outside the intended artifact store path.
Affected Products
- ZenML (zenml-io/zenml) — versions prior to the fix in commit 00e934f
- ZenML server deployments exposing the /api/v1/steps API
- ZenML installations using local or shared filesystem artifact stores
Discovery Timeline
- 2024-04-16 - CVE-2024-2083 published to NVD
- 2025-05-12 - Last updated in NVD database
Technical Details for CVE-2024-2083
Vulnerability Analysis
The vulnerability exists in the step logs retrieval logic of the ZenML server. The /api/v1/steps endpoint accepts a logs URI parameter intended to point to log files within the configured artifact store. The server does not normalize the supplied path or verify that the resolved location stays within the artifact store boundary. An attacker authenticated to the ZenML API can submit traversal sequences such as ../../etc/passwd to read files outside the artifact store directory.
Because ZenML deployments typically run with broad filesystem access to support multiple pipelines, the exposed file scope often includes deployment secrets, cloud credential files, Kubernetes service account tokens, and pipeline configuration data.
Root Cause
The root cause is missing artifact store isolation. The pre-patch code path used zenml.io.fileio to resolve and read log URIs directly from the underlying filesystem, bypassing the artifact store abstraction that enforces path containment. Any URI accepted by the local filesystem driver was honored, including absolute paths and relative traversal sequences.
Attack Vector
An attacker with low-privileged API access sends a crafted request to the steps endpoint with a logs URI containing traversal segments. The server resolves the path against the host filesystem and returns the file contents in the API response. No user interaction is required, and the network attack vector makes the issue exploitable wherever the ZenML server is reachable.
# Patch excerpt — src/zenml/artifacts/utils.py
if not uri.startswith(artifact_store.path):
uri = os.path.join(artifact_store.path, uri)
- if manual_save and fileio.exists(uri):
+ if manual_save and artifact_store.exists(uri):
# This check is only necessary for manual saves as we already check
# it when creating the directory for step output artifacts
other_artifacts = client.list_artifact_versions(uri=uri, size=1)
Source: zenml-io/zenml commit 00e934f
The fix replaces direct fileio calls with artifact_store.exists(), routing path checks through the artifact store abstraction so resolved paths are validated against the configured store boundary.
# Patch excerpt — src/zenml/logging/step_logging.py
from zenml.artifact_stores import BaseArtifactStore
-from zenml.io import fileio
+from zenml.client import Client
from zenml.logger import get_logger
Source: zenml-io/zenml commit 00e934f
Detection Methods for CVE-2024-2083
Indicators of Compromise
- HTTP requests to /api/v1/steps containing ../ sequences or URL-encoded variants such as %2e%2e%2f in the logs query parameter.
- API responses returning file contents inconsistent with expected ZenML log formats (for example, content from /etc/passwd, .env, or cloud credential files).
- Unusual logs URI values referencing absolute paths outside the configured artifact store root.
Detection Strategies
- Inspect ZenML web server access logs for requests to /api/v1/steps that include traversal patterns or absolute paths in query strings.
- Implement a web application firewall (WAF) rule that flags requests to ZenML endpoints containing .., %2e%2e, or ~/ sequences in URI parameters.
- Correlate authenticated ZenML API sessions with anomalous file access patterns and large response payloads from log retrieval endpoints.
Monitoring Recommendations
- Enable verbose API request logging on the ZenML server and forward events to a centralized log platform for retention and search.
- Alert on repeated 200 OK responses from /api/v1/steps with response sizes that deviate from baseline log retrieval sizes.
- Monitor filesystem access on the ZenML host for reads outside the artifact store directory by the ZenML service account.
How to Mitigate CVE-2024-2083
Immediate Actions Required
- Upgrade ZenML to the version containing commit 00e934f33a243a554f5f65b80eefd5ea5117367b (Improve Artifact Store isolation #2490) or later.
- Rotate any credentials, API tokens, and secrets that were accessible from the ZenML server host, as they may have been exfiltrated.
- Restrict network exposure of the ZenML API to trusted networks and authenticated users only.
Patch Information
The vendor fix is delivered in commit 00e934f, which routes log and artifact path resolution through the BaseArtifactStore abstraction. This enforces containment within the configured artifact store path and removes the direct fileio access that enabled the traversal. Additional context is available in the Huntr bounty disclosure.
Workarounds
- Run the ZenML server under a dedicated, unprivileged service account with filesystem permissions limited to the artifact store directory.
- Deploy a reverse proxy or WAF rule that rejects requests to /api/v1/steps containing traversal patterns until patching is complete.
- Disable or firewall-block external access to the ZenML API and restrict access to internal CI/CD networks while remediation is in progress.
# Example nginx reverse-proxy rule to block traversal patterns on the steps endpoint
location /api/v1/steps {
if ($args ~* "(\.\./|%2e%2e|%2f%2e%2e)") {
return 403;
}
proxy_pass http://zenml-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
