Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-3848

CVE-2024-3848: Lfprojects MLflow Path Traversal Flaw

CVE-2024-3848 is a path traversal vulnerability in MLflow 2.11.0 that bypasses CVE-2023-6909 protections, allowing attackers to read sensitive files via URL fragment manipulation. This article covers technical details and fixes.

Published:

CVE-2024-3848 Overview

CVE-2024-3848 is a path traversal vulnerability in MLflow version 2.11.0 that bypasses the prior fix for CVE-2023-6909. The flaw resides in how MLflow validates artifact location URLs supplied to the tracking server. By inserting a # character, an attacker can place a filesystem path into the URL fragment, which bypasses scheme validation. When MLflow later converts the URL to a filesystem path, it honors the attacker-controlled fragment and reads files outside the intended artifact directory. Exploitation enables disclosure of sensitive files such as SSH keys, cloud provider credentials, and configuration data. The vulnerability is classified under [CWE-22] Path Traversal and [CWE-29] Path Traversal: \..\filename.

Critical Impact

Unauthenticated network attackers can read arbitrary files from the MLflow server host, including SSH keys and cloud credentials.

Affected Products

  • MLflow 2.11.0 (lfprojects mlflow)
  • Earlier MLflow releases that share the vulnerable artifact URL handling logic
  • MLflow tracking server deployments exposing the REST API

Discovery Timeline

  • 2024-05-16 - CVE-2024-3848 published to the National Vulnerability Database (NVD)
  • 2025-01-24 - Last updated in NVD database

Technical Details for CVE-2024-3848

Vulnerability Analysis

MLflow's experiment creation endpoint accepts an artifact_location parameter that specifies where experiment artifacts should be stored. The tracking server parses this value as a URL and validates the scheme and query string before persisting it. The validation routine does not inspect the URL fragment component, the portion of a URL following the # character.

When MLflow later resolves the URL into a filesystem path for read operations, the fragment is concatenated into the resulting path. An attacker can therefore supply a URL where the scheme appears benign but the fragment contains traversal sequences pointing at sensitive locations on the server filesystem. The downstream resolver follows the attacker-controlled path, returning file contents in API responses.

Root Cause

The root cause is incomplete input validation following the prior fix for CVE-2023-6909. The original patch validated the URL scheme and query string but did not reject URLs containing a fragment. Because Python's urllib.parse.urlparse separates the fragment from the rest of the URL, downstream code that reconstructed the path inherited the attacker-controlled fragment without re-validation.

Attack Vector

Exploitation requires network access to the MLflow tracking server REST API but no authentication or user interaction. An attacker submits a crafted create_experiment request whose artifact_location contains a # followed by an absolute or traversal-based filesystem path. Subsequent artifact retrieval calls return the contents of attacker-specified files.

python
# Security patch in mlflow/server/handlers.py
# Fix Local File Read/Path Traversal bypass (#11376)

    # Validate query string in artifact location to prevent attacks
    parsed_artifact_locaion = urllib.parse.urlparse(request_message.artifact_location)
    if parsed_artifact_locaion.fragment:
        raise MlflowException(
            "'artifact_location' URL can't include fragment part.",
            error_code=INVALID_PARAMETER_VALUE,
        )
    validate_query_string(parsed_artifact_locaion.query)
    experiment_id = _get_tracking_store().create_experiment(
        request_message.name, request_message.artifact_location, tags
    )

Source: MLflow GitHub commit f8d51e2

Detection Methods for CVE-2024-3848

Indicators of Compromise

  • HTTP requests to /api/2.0/mlflow/experiments/create whose artifact_location value contains a # character followed by filesystem path syntax such as /etc/, /root/.ssh/, or ...
  • Outbound API responses returning contents of sensitive files like id_rsa, .aws/credentials, or /etc/passwd.
  • Unexpected experiment entries in the MLflow tracking store referencing local filesystem paths through URL fragments.

Detection Strategies

  • Inspect MLflow tracking server access logs for create_experiment calls containing %23 or # in the artifact_location field.
  • Compare deployed MLflow versions against the patched release using package inventory data, flagging hosts running 2.11.0 or earlier.
  • Monitor process telemetry on MLflow hosts for the server process opening files outside the configured artifact root directory.

Monitoring Recommendations

  • Enable verbose request logging on the MLflow REST API and forward logs to a centralized SIEM for correlation.
  • Alert on any read access by the MLflow service account to credential stores such as ~/.ssh, ~/.aws, or ~/.config/gcloud.
  • Track EPSS scoring for this CVE, currently 77.074% (98.99 percentile), as a prioritization signal for patching cadence.

How to Mitigate CVE-2024-3848

Immediate Actions Required

  • Upgrade MLflow to the version containing commit f8d51e2, which rejects artifact_location URLs that include a fragment component.
  • Restrict network access to the MLflow tracking server using firewall rules or reverse proxy allowlists until patching is complete.
  • Rotate any credentials, SSH keys, or cloud API tokens stored on hosts running vulnerable MLflow versions.

Patch Information

The fix is published in the MLflow repository at commit f8d51e21523238280ebcfdb378612afd7844eca8. The patch adds a check that raises MlflowException with INVALID_PARAMETER_VALUE when the parsed artifact location URL contains a fragment. Additional technical context is available in the Huntr bounty report.

Workarounds

  • Place the MLflow tracking server behind an authenticating reverse proxy that strips or rejects URL fragments in API request bodies.
  • Run the MLflow server as a low-privilege user inside a container with a read-only filesystem and no access to credential directories.
  • Deploy a web application firewall rule that blocks create_experiment requests where artifact_location contains the # character.
bash
# Example: upgrade MLflow and verify the installed version
pip install --upgrade mlflow
python -c "import mlflow; print(mlflow.__version__)"

# Example: minimal nginx rule to drop requests with '#' in artifact_location
# location /api/2.0/mlflow/experiments/create {
#     if ($request_body ~* "artifact_location.*#") { return 400; }
#     proxy_pass http://mlflow_backend;
# }

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne