CVE-2024-8859 – A path traversal vulnerability in MLflow 2.15.1... (How to Fix)

📋 TL;DR

A path traversal vulnerability in MLflow 2.15.1 allows attackers to read arbitrary files when the DBFS service is configured and mounted locally. This occurs because URL query parameters aren't properly validated during file protocol concatenation. Users who have configured DBFS service mounting are affected.

💻 Affected Systems

Products:

mlflow/mlflow

Versions: Version 2.15.1 specifically

Operating Systems: All platforms running MLflow

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when DBFS service is configured and mounted to a local directory

📦 What is this software?

Mlflow by Lfprojects

View all CVEs affecting Mlflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server file system compromise including sensitive configuration files, credentials, and application data

🟠

Likely Case

Unauthorized reading of application files, configuration data, and potentially sensitive user data

🟢

If Mitigated

Limited to reading files accessible by the MLflow process user account

🌐 Internet-Facing: MEDIUM - Requires DBFS service configuration and mounting, which is less common in internet-facing deployments

🏢 Internal Only: HIGH - Internal deployments with DBFS configurations are vulnerable to authenticated users

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires knowledge of DBFS configuration and ability to craft malicious URLs with path traversal sequences

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 7791b8cdd595f21b5f179c7b17e4b5eb5cbbe654 and later versions

Vendor Advisory: https://github.com/mlflow/mlflow/commit/7791b8cdd595f21b5f179c7b17e4b5eb5cbbe654

Restart Required: No

Instructions:

1. Update MLflow to version after commit 7791b8cdd595f21b5f179c7b17e4b5eb5cbbe654
2. Verify DBFS URL validation now properly handles query parameters
3. No service restart required for configuration changes

🔧 Temporary Workarounds

Disable DBFS mounting

all

Temporarily disable DBFS service mounting until patched

# Configure MLflow without DBFS mounting
# Review mlflow configuration files and remove DBFS mount configurations

🧯 If You Can't Patch

Implement strict network segmentation to isolate MLflow instances
Apply strict file system permissions to limit MLflow process access

🔍 How to Verify

Check if Vulnerable:

Check if using MLflow 2.15.1 with DBFS service configured and mounted locally

Check Version:

pip show mlflow | grep Version

Verify Fix Applied:

Verify MLflow version is after commit 7791b8cdd595f21b5f179c7b17e4b5eb5cbbe654 and test DBFS URL handling

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns from MLflow process
Failed path traversal attempts in application logs

Network Indicators:

Suspicious URL patterns with ../ sequences in DBFS requests

SIEM Query:

source="mlflow" AND (url="*../*" OR url="*..\\*" OR url="*%2e%2e%2f*")

📊 Metadata

CVE ID: CVE-2024-8859

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-29

EPSS Score: 26.92% exploit probability (96.2th percentile)

Published: March 20, 2025

Last Updated: August 5, 2025

🔗 References

https://github.com/mlflow/mlflow/commit/7791b8cdd595f21b5f179c7b17e4b5eb5cbbe654 Patch
https://huntr.com/bounties/2259b88b-a0c6-4c7c-b434-6aacf6056dcb Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8859, you might also want to check these: