CVE-2023-5245 – This vulnerability is a path traversal flaw in ... (How to Fix)

Q: What is the severity of CVE-2023-5245?

CVE-2023-5245 has a CVSS score of 7.5 (HIGH). This vulnerability is a path traversal flaw in MLeap's FileUtil.extract() function that allows attackers to write arbitrary files outside the intended extraction directory when processing malicious ZIP archives. It affects systems using MLeap's TensorflowModel with saved_model format, potentially leading to remote code execution. Organizations using MLeap for machine learning model deployment are at risk.

📋 TL;DR

This vulnerability is a path traversal flaw in MLeap's FileUtil.extract() function that allows attackers to write arbitrary files outside the intended extraction directory when processing malicious ZIP archives. It affects systems using MLeap's TensorflowModel with saved_model format, potentially leading to remote code execution. Organizations using MLeap for machine learning model deployment are at risk.

💻 Affected Systems

Products:

MLeap (combust/mleap)

Versions: Versions prior to the fix in pull request #866

Operating Systems: All operating systems where MLeap runs

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects TensorflowModel usage with saved_model format when processing exported tensorflow models via the apply() function.

📦 What is this software?

Mleap by Combust

View all CVEs affecting Mleap →

Mleap by Combust

View all CVEs affecting Mleap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Arbitrary file creation leading to denial of service, data corruption, or limited code execution depending on file permissions.

🟢

If Mitigated

Contained file writes to isolated directories with minimal impact if proper sandboxing and file permission controls are implemented.

🌐 Internet-Facing: HIGH - Exploitable via file upload functionality in web applications using MLeap, potentially allowing unauthenticated attacks.

🏢 Internal Only: MEDIUM - Requires access to internal systems but could be exploited by malicious insiders or through compromised internal accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires uploading a malicious ZIP archive with path traversal sequences in filenames. Public proof-of-concept exists in research publications.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in MLeap via pull request #866

Vendor Advisory: https://github.com/combust/mleap/pull/866

Restart Required: Yes

Instructions:

1. Update MLeap to version containing fix from PR #866. 2. Restart all services using MLeap. 3. Verify no vulnerable code paths remain.

🔧 Temporary Workarounds

Input Validation for ZIP Files

all

Implement pre-extraction validation to reject ZIP archives containing path traversal sequences (../, ..\) in filenames.

# Implement custom validation before calling FileUtil.extract()
# Example Python: if any('..' in entry.filename for entry in zipfile.namelist()): reject

Sandbox Extraction Directory

linux

Extract ZIP files to isolated, temporary directories with restricted permissions and validate extracted paths before moving files.

# Create temp dir: mkdir -p /tmp/mleap_extract_$(date +%s)
# Set restrictive permissions: chmod 700 /tmp/mleap_extract_*

🧯 If You Can't Patch

Disable TensorflowModel saved_model format usage and switch to alternative model formats
Implement network segmentation to isolate MLeap services and restrict file system write permissions

🔍 How to Verify

Check if Vulnerable:

Check if your MLeap version includes the vulnerable FileUtil.extract() implementation by examining the code or checking version against PR #866.

Check Version:

Check MLeap version in your project dependencies (e.g., build.sbt, pom.xml, or package.json)

Verify Fix Applied:

Test with a ZIP archive containing path traversal filenames - extraction should fail or be contained within the target directory.

📡 Detection & Monitoring

Log Indicators:

Failed extraction attempts with path traversal patterns
Unexpected file writes outside extraction directories
ZIP processing errors with suspicious filenames

Network Indicators:

Large or unusual ZIP file uploads to MLeap endpoints
POST requests to model application endpoints with file attachments

SIEM Query:

source="application.log" AND "FileUtil.extract" AND ("..\" OR "../")

📊 Metadata

CVE ID: CVE-2023-5245

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: November 15, 2023

Last Updated: February 25, 2026

🔗 References

https://github.com/combust/mleap/pull/866#issuecomment-1738032225 Issue Tracking,Patch
https://research.jfrog.com/vulnerabilities/mleap-path-traversal-rce-xray-532656/ Exploit,Third Party Advisory
https://github.com/combust/mleap/pull/866#issuecomment-1738032225 Issue Tracking,Patch
https://research.jfrog.com/vulnerabilities/mleap-path-traversal-rce-xray-532656/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-5245, you might also want to check these: