CVE-2024-8859
Published: 20 March 2025
Summary
CVE-2024-8859 is a uncategorised-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Lfprojects Mlflow. Its CVSS base score is N/A.
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents path traversal by requiring validation of all URL components, including query parameters, before concatenating into file protocols in the MLflow DBFS service.
Addresses the specific flaw in MLflow 2.15.1 DBFS through timely flaw remediation and patching as referenced in the vulnerability fix commit.
Enforces authorized access to files in the mounted local directory, limiting the scope of arbitrary reads enabled by the path traversal vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vulnerability enables arbitrary file reads from the local filesystem (via mounted DBFS), facilitating collection of data from local system and file/directory discovery.
NVD Description
A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part…
more
of the URL is checked, while parts such as query and parameters are not handled. The vulnerability is triggered if the user has configured the dbfs service, and during usage, the service is mounted to a local directory.
Deeper analysisAI
CVE-2024-8859 is a path traversal vulnerability (CWE-29) in mlflow/mlflow version 2.15.1. The issue affects the DBFS service when users configure it and mount it to a local directory. It stems from directly concatenating URLs into the file protocol, where validation checks only the path component of the URL, neglecting query parameters and other parts, which enables arbitrary file reads.
Exploitation requires an attacker to provide a maliciously crafted URL to the DBFS service during its use. This scenario is feasible for users or attackers who can interact with the configured DBFS service in MLflow. Successful exploitation allows reading arbitrary files from the local directory to which the service is mounted.
Mitigation details are available in the referenced patch commit at https://github.com/mlflow/mlflow/commit/7791b8cdd595f21b5f179c7b17e4b5eb5cbbe654, which addresses the improper URL handling. The vulnerability was reported through the Huntr bounty program at https://huntr.com/bounties/2259b88b-a0c6-4c7c-b434-6aacf6056dcb.
MLflow is an open-source platform for the machine learning lifecycle, making this vulnerability relevant to AI/ML deployments using DBFS integration. No public information indicates real-world exploitation as of the CVE publication on 2025-03-20.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- MLflow is an open-source platform for managing the ML lifecycle, including experimentation, reproducibility, and deployment of machine learning models, fitting the 'Other Platforms' category as it is not a deep learning framework, ML library, or other specific subcategory.