
May 15, 2025
CVE-2024-2928: MLflow Local File Inclusion via URI Fragment Manipulation
Read about an LFI vulnerability disclosed in MLflow which allowed unauthenticated remote attackers to read arbitrary files by exploiting URI fragments containing directory traversal sequences.
CVE Overview
In April 2024, a high-severity Local File Inclusion (LFI) vulnerability was disclosed in MLflow, an open-source platform for managing the complete machine learning lifecycle. The vulnerability exists in versions prior to 2.11.3 and is due to improper sanitization of the fragment component (#) in URIs.
This flaw allows unauthenticated remote attackers to read arbitrary files from the MLflow server’s filesystem by exploiting crafted URI fragments containing directory traversal sequences.
This vulnerability is an evolution of a previously patched path traversal issue in MLflow, bypassing earlier fixes by abusing the fragment portion instead of query parameters.
CVE ID: CVE-2024-2928
Severity: High
CVSS Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
EPSS Score: 90.40%
Published: April 12, 2024
Affected Versions: ≤ 2.11.2
Patched Version: 2.11.3
Vulnerability Breakdown
The vulnerability arises from MLflow’s improper handling of URL fragments. While browsers do not send the fragment (#) to the server, MLflow parses the raw HTTP request line, inadvertently including the fragment during artifact path resolution.
By inserting a fragment like #../etc/passwd, attackers can bypass server-side path sanitization and access sensitive files outside the intended model artifact directory.
This allows any unauthenticated attacker with network access to the MLflow server to perform Local File Inclusion (LFI), exposing sensitive system files such as:
- /etc/passwd
- Environment variables
- Application secrets
Exploitation
An attacker can exploit this vulnerability by sending a crafted request using tools that allow sending raw HTTP requests (e.g., curl, Burp Suite, netcat).
Example exploit request:
GET /model-uri/model-name/artifacts/somefile#../etc/passwd HTTP/1.1Host: target-ip:5000 |
If the server is vulnerable, it will respond with the contents of /etc/passwd:
HTTP/1.1 200 OKroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin … |
Important Note:
Browsers will not transmit fragments (#) to the server, so this attack requires tools that allow raw HTTP manipulation.
Impact
Successful exploitation allows unauthenticated attackers to:
- Read arbitrary files from the MLflow server.
- Expose sensitive configurations, credentials, and keys.
- Assist in further attack chaining, such as harvesting credentials for pivoting.
Detection
- Version Check: Confirm the installed MLflow version. Versions ≤ 2.11.2 are vulnerable.
- Access Logs: Review MLflow server logs for unusual requests containing suspicious fragment usage.
- System Monitoring: Monitor for unauthorized access to sensitive files.
Mitigation
- Upgrade Immediately: Patch to MLflow version 2.11.3 or later.
- Network Segmentation: Ensure MLflow servers are not exposed to public or untrusted networks.
- Input Handling: Harden the MLflow codebase and API input parsing to properly sanitize and ignore fragments.
- Security Monitoring: Deploy monitoring solutions to detect unusual file access patterns.
References
Stay in the know: Become an OffSec Insider
Get the latest updates about resources, events & promotions from OffSec!
Latest from OffSec

Research & Tutorials
CVE-2024-12029 – InvokeAI Deserialization of Untrusted Data vulnerability
CVE-2024-12029: A critical deserialization vulnerability in InvokeAI’s /api/v2/models/install endpoint allows remote code execution via malicious model files. Exploit risk for AI art servers.
Jul 17, 2025
0
Research & Tutorials
What is Phishing? Introduction to Phishing Demo (for Beginners)
Learn how phishing attacks work and how to spot them. Watch OffSec’s animated video to protect yourself from scams, spoofed sites, and social engineering.
Jul 15, 2025
2 min read

Research & Tutorials
CVE-2025-27636 – Remote Code Execution in Apache Camel via Case-Sensitive Header Filtering Bypass
Discover the critical Apache Camel vulnerability (CVE-2025-27636) that allows remote code execution via case-sensitive HTTP header manipulation in the exec component. Learn how attackers exploit this flaw and how to mitigate it.
Jul 10, 2025
2 min read