CVE-2024-3573 Overview
MLflow, the popular open-source platform for managing machine learning lifecycles, is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs. This vulnerability allows attackers to bypass security checks and read arbitrary files on the system. The issue arises from the is_local_uri function's failure to properly handle URIs with empty or file schemes, leading to the misclassification of URIs as non-local.
Attackers can exploit this vulnerability by crafting malicious model versions with specially crafted source parameters, enabling the reading of sensitive files within at least two directory levels from the server's root.
Critical Impact
Unauthenticated remote attackers can read sensitive files from the MLflow server, potentially exposing credentials, configuration files, and other confidential data without user interaction.
Affected Products
- LF Projects MLflow (all versions prior to the security patch)
- MLflow deployments with model registry functionality enabled
- Self-hosted MLflow tracking servers exposed to network access
Discovery Timeline
- 2024-04-16 - CVE-2024-3573 published to NVD
- 2025-02-03 - Last updated in NVD database
Technical Details for CVE-2024-3573
Vulnerability Analysis
This Local File Inclusion vulnerability exists in MLflow's URI parsing logic, specifically within the is_local_uri function. The function is designed to determine whether a given URI points to a local resource or a remote one, but fails to properly validate URIs with empty schemes or explicit file scheme prefixes.
When processing model version sources, MLflow should validate that source paths cannot reference arbitrary local files. However, due to the parsing flaw, an attacker can craft URIs that bypass this validation logic. The vulnerability is particularly concerning because it requires no authentication or user interaction to exploit, and can be triggered remotely over the network.
The scope of impact extends beyond the vulnerable MLflow component itself, as successful exploitation can lead to disclosure of sensitive system files, configuration data, and potentially credentials stored on the server.
Root Cause
The root cause lies in the is_local_uri function's incomplete handling of URI schemes. The function fails to correctly identify URIs with empty schemes (e.g., ://path/to/file) or explicit file: prefixes as local URIs. This causes the validation logic to incorrectly classify these paths as non-local, thereby bypassing the intended security restrictions.
The parsing logic does not account for edge cases where URI scheme components are manipulated to appear non-local while still resolving to local file system paths.
Attack Vector
The attack exploits the model version registration functionality in MLflow. An attacker can create or modify a model version with a specially crafted source parameter that bypasses the URI locality check. When the MLflow server processes requests involving this model version, it follows the malicious path and reads local files.
The exploitation flow involves sending a network request to an MLflow server with a crafted model version containing a malicious source path. The is_local_uri function incorrectly classifies the path as non-local, allowing the server to read and potentially return the contents of sensitive files located within at least two directory levels from the server's root directory. For detailed technical analysis, refer to the Huntr Bounty Report.
Detection Methods for CVE-2024-3573
Indicators of Compromise
- Unusual model version registrations with suspicious source parameter values containing file scheme prefixes or path traversal sequences
- Unexpected file access patterns in MLflow server logs, particularly accessing files outside normal model storage directories
- HTTP requests to MLflow endpoints containing URI-encoded path traversal characters (.., %2e%2e)
- Model versions with source fields containing file://, empty schemes, or unusual path patterns
Detection Strategies
- Monitor MLflow API endpoints for requests containing suspicious URI patterns in model version source parameters
- Implement file integrity monitoring on the MLflow server to detect unexpected file access outside of artifact storage locations
- Deploy web application firewall (WAF) rules to detect and block path traversal attempts in MLflow API requests
- Review audit logs for model version creation/modification events with anomalous source paths
Monitoring Recommendations
- Enable detailed logging for MLflow model registry operations to capture all model version source parameters
- Set up alerts for file access attempts outside designated MLflow artifact directories
- Monitor network traffic to MLflow servers for requests containing file:// scheme or path traversal patterns
- Implement anomaly detection for unusual model version registration patterns or frequencies
How to Mitigate CVE-2024-3573
Immediate Actions Required
- Update MLflow to the latest patched version immediately
- Restrict network access to MLflow servers using firewall rules or network segmentation
- Review existing model versions for suspicious source parameter values
- Implement authentication and authorization controls on MLflow endpoints if not already in place
- Consider temporarily disabling external network access to MLflow model registry functionality until patching is complete
Patch Information
The vulnerability has been addressed by the MLflow maintainers. The fix is available in commit 438a450714a3ca06285eeea34bdc6cf79d7f6cbc, which improves the URI parsing logic in the is_local_uri function to properly handle edge cases with empty and file schemes.
Organizations should apply the patch by updating to the latest MLflow release that includes this fix. The patch can be reviewed in the GitHub Commit.
Workarounds
- Deploy MLflow behind a reverse proxy that filters requests containing suspicious URI patterns or path traversal sequences
- Implement network-level access controls to restrict MLflow API access to trusted IP ranges only
- Use containerization with read-only file systems where possible to limit the impact of potential file inclusion attacks
- Monitor and audit all model version registrations for unusual source parameter values
# Example: Restrict MLflow server access using iptables
# Allow access only from trusted internal network
iptables -A INPUT -p tcp --dport 5000 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 5000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
