Cyber Resilience

CVE-2024-8859

HighPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
05 August 2025
KEV Added
Patch
CVSS Score v3 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.2569 96.4th percentile
Risk Priority 30 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8859 is a high-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Lfprojects Mlflow. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Machine Learning Libraries; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

MLflow version 2.15.1 is affected by a path traversal vulnerability in its dbfs service. When a URL is concatenated directly into file protocol handling, only the path portion is validated while query strings and other parameters are ignored, allowing an arbitrary file read when the service is configured and mounted to a local directory.

An unauthenticated remote attacker can supply a crafted URL to the mounted dbfs endpoint and retrieve arbitrary files from the underlying filesystem without requiring user interaction or credentials.

The referenced commit 7791b8cdd595f21b5f179c7b17e4b5eb5cbbe654 addresses the flaw, and the issue was disclosed via the Huntr platform.

MLflow’s role in machine-learning pipelines makes the dbfs configuration relevant to AI/ML deployments; the EPSS score reached a peak of 0.2692.

EU & UK References

Vulnerability details

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part…

more

of the URL is checked, while parts such as query and parameters are not handled. The vulnerability is triggered if the user has configured the dbfs service, and during usage, the service is mounted to a local directory.

CWE(s)

AI Security AnalysisAI

AI Category
Machine Learning Libraries
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mlflow

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Why these techniques?

Path traversal vulnerability enables arbitrary file reads from the local filesystem (via mounted DBFS), facilitating collection of data from local system and file/directory discovery.

CVEs Like This One

CVE-2025-1473Same product: Lfprojects Mlflow
CVE-2025-0453Same product: Lfprojects Mlflow
CVE-2025-14287Same product: Lfprojects Mlflow
CVE-2026-0596Same product: Lfprojects Mlflow
CVE-2026-2652Same product: Lfprojects Mlflow
CVE-2025-15031Same product: Lfprojects Mlflow
CVE-2026-4035Same product: Lfprojects Mlflow
CVE-2026-0545Same product: Lfprojects Mlflow
CVE-2025-11200Same product: Lfprojects Mlflow
CVE-2025-11201Same product: Lfprojects Mlflow

Affected Assets

lfprojects
mlflow
2.15.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents path traversal by requiring validation of all URL components, including query parameters, before concatenating into file protocols in the MLflow DBFS service.

prevent

Addresses the specific flaw in MLflow 2.15.1 DBFS through timely flaw remediation and patching as referenced in the vulnerability fix commit.

prevent

Enforces authorized access to files in the mounted local directory, limiting the scope of arbitrary reads enabled by the path traversal vulnerability.

References