CVE-2024-3573 – This vulnerability in MLflow allows attackers t... (How to Fix)

📋 TL;DR

This vulnerability in MLflow allows attackers to perform Local File Inclusion (LFI) by exploiting improper URI parsing in the 'is_local_uri' function. Attackers can craft malicious model versions with specially crafted 'source' parameters to read arbitrary files on the system, potentially exposing sensitive data. All MLflow deployments using vulnerable versions are affected.

💻 Affected Systems

Products:

mlflow/mlflow

Versions: Versions before the fix commit 438a450714a3ca06285eeea34bdc6cf79d7f6cbc

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects MLflow deployments where model version creation is enabled and accessible to attackers.

📦 What is this software?

Mlflow by Lfprojects

View all CVEs affecting Mlflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through reading of sensitive files like SSH keys, configuration files, or database credentials, potentially leading to lateral movement and data exfiltration.

🟠

Likely Case

Unauthorized reading of sensitive files within the server's directory structure, exposing configuration files, logs, or other sensitive data.

🟢

If Mitigated

Limited file access restricted by server permissions, but still potential for information disclosure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to create or modify model versions in MLflow. The vulnerability is well-documented in public bug bounty reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions including commit 438a450714a3ca06285eeea34bdc6cf79d7f6cbc

Vendor Advisory: https://github.com/mlflow/mlflow/commit/438a450714a3ca06285eeea34bdc6cf79d7f6cbc

Restart Required: Yes

Instructions:

1. Update MLflow to version containing fix commit 438a450714a3ca06285eeea34bdc6cf79d7f6cbc
2. Restart MLflow services
3. Verify the fix by testing URI parsing functionality

🔧 Temporary Workarounds

Restrict Model Version Creation

all

Limit who can create or modify model versions in MLflow to trusted users only.

Network Segmentation

all

Place MLflow behind authentication and restrict network access to trusted IPs only.

🧯 If You Can't Patch

Implement strict access controls on MLflow endpoints
Monitor for unusual file access patterns or model version creation attempts

🔍 How to Verify

Check if Vulnerable:

Check MLflow version and compare with fix commit 438a450714a3ca06285eeea34bdc6cf79d7f6cbc. Test URI parsing with empty or 'file' scheme URIs.

Check Version:

mlflow --version

Verify Fix Applied:

After patching, test that the 'is_local_uri' function properly handles URIs with empty or 'file' schemes and prevents LFI attempts.

📡 Detection & Monitoring

Log Indicators:

Unusual model version creation attempts
File access patterns outside expected directories
URI parsing errors in logs

Network Indicators:

Requests with crafted 'source' parameters in model version creation
Unusual file read patterns from MLflow server

SIEM Query:

source="mlflow" AND (uri_parsing_error OR model_version_creation) AND (file_scheme OR empty_uri)

📊 Metadata

CVE ID: CVE-2024-3573

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

CWE: CWE-29

Published: April 16, 2024

Last Updated: February 3, 2025

🔗 References

https://github.com/mlflow/mlflow/commit/438a450714a3ca06285eeea34bdc6cf79d7f6cbc Patch
https://huntr.com/bounties/8ea058a7-4ef8-4baf-9198-bc0147fc543c Exploit,Issue Tracking,Third Party Advisory
https://github.com/mlflow/mlflow/commit/438a450714a3ca06285eeea34bdc6cf79d7f6cbc Patch
https://huntr.com/bounties/8ea058a7-4ef8-4baf-9198-bc0147fc543c Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3573, you might also want to check these: