VYPR
← All advisories
High severityNVD Advisory· Published Mar 20, 2025· Updated Mar 20, 2025

Path Traversal in mlflow/mlflow

CVE-2024-8859

Description

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while parts such as query and parameters are not handled. The vulnerability is triggered if the user has configured the dbfs service, and during usage, the service is mounted to a local directory.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A path traversal in mlflow 2.15.1 allows reading arbitrary files via crafted URLs when DBFS is configured and mounted locally.

Root

Cause

CVE-2024-8859 is a path traversal vulnerability in mlflow/mlflow version 2.15.1 affecting the DBFS service [1]. When the service is configured and mounted to a local directory, the system concatenates user-supplied URLs directly into file operations without adequately sanitizing query parameters and URL fragments [1]. Only the path component of the URL is validated, allowing an attacker to inject traversal sequences like ".." in other URL parts [3].

Exploitation

An attacker can exploit this by crafting a URL containing path traversal payloads in the query string or fragment, such as dbfs:/<run_id>/artifacts/a%3f/../../../../../../../../../../ [3]. The vulnerability requires the user to have configured and mounted the DBFS service; no further authentication is mentioned in the advisory [1]. The fix, introduced in commit 7791b8c, adds a check for ".." sequences across the entire source string, not just the path [3].

Impact

Successful exploitation allows an attacker to read arbitrary files on the system where the DBFS service is mounted [1]. This can lead to disclosure of sensitive configuration files, model data, or other information accessible to the MLflow process.

Mitigation

The vulnerability has been addressed in the MLflow repository by improving validation of non-local sources [3]. Users should update to a version containing the fix or apply the provided patch. As of this writing, no evidence of active exploitation in the wild has been reported.

References
  1. NVD - CVE-2024-8859
  2. Improve `_validate_non_local_source_contains_relative_paths` to rejec… · mlflow/mlflow@7791b8c

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mlflowPyPI
< 2.17.0rc02.17.0rc0

Affected products

4

Patches

1
7791b8cdd595

Improve `_validate_non_local_source_contains_relative_paths` to reject malicious path (#13161)

https://github.com/mlflow/mlflowHarutaka KawamuraSep 18, 2024via ghsa
commit
2 files changed · +12 1
  • mlflow/server/handlers.py+1 1 modified
    @@ -1835,7 +1835,7 @@ def _validate_non_local_source_contains_relative_paths(source: str):
     while (unquoted := urllib.parse.unquote_plus(source)) != source:
         source = unquoted
     source_path = re.sub(r"/+", "/", urllib.parse.urlparse(source).path.rstrip("/"))
-    if "\x00" in source_path:
+    if "\x00" in source_path or any(p == ".." for p in source.split("/")):
         raise MlflowException(invalid_source_error_message, INVALID_PARAMETER_VALUE)
     resolved_source = pathlib.Path(source_path).resolve().as_posix()
     # NB: drive split is specifically for Windows since WindowsPath.resolve() will append the
  • tests/tracking/test_rest_tracking.py+11 0 modified
    @@ -1482,6 +1482,17 @@ def test_create_model_version_with_non_local_source(mlflow_client):
     assert response.status_code == 400
     assert "If supplying a source as an http, https," in response.json()["message"]
 
+    response = requests.post(
+        f"{mlflow_client.tracking_uri}/api/2.0/mlflow/model-versions/create",
+        json={
+            "name": name,
+            "source": f"dbfs:/{run.info.run_id}/artifacts/a%3f/../../../../../../../../../../",
+            "run_id": run.info.run_id,
+        },
+    )
+    assert response.status_code == 400
+    assert "Invalid model version source" in response.json()["message"]
+
 
 def test_create_model_version_with_file_uri(mlflow_client):
     name = "test"

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.