Blog

/

CVE-2024-2928: MLflow Local File Inclusion via URI Fragment Manipulation

Research & Tutorials

May 15, 2025

CVE-2024-2928: MLflow Local File Inclusion via URI Fragment Manipulation

Read about an LFI vulnerability disclosed in MLflow which allowed unauthenticated remote attackers to read arbitrary files by exploiting URI fragments containing directory traversal sequences.

OffSec Team OffSec Team

3 min read

CVE Overview

In April 2024, a high-severity Local File Inclusion (LFI) vulnerability was disclosed in MLflow, an open-source platform for managing the complete machine learning lifecycle. The vulnerability exists in versions prior to 2.11.3 and is due to improper sanitization of the fragment component (#) in URIs.

This flaw allows unauthenticated remote attackers to read arbitrary files from the MLflow server’s filesystem by exploiting crafted URI fragments containing directory traversal sequences.
This vulnerability is an evolution of a previously patched path traversal issue in MLflow, bypassing earlier fixes by abusing the fragment portion instead of query parameters.

CVE ID: CVE-2024-2928

Severity: High
CVSS Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
EPSS Score: 90.40%
Published: April 12, 2024
Affected Versions: ≤ 2.11.2
Patched Version: 2.11.3


Vulnerability Breakdown

The vulnerability arises from MLflow’s improper handling of URL fragments. While browsers do not send the fragment (#) to the server, MLflow parses the raw HTTP request line, inadvertently including the fragment during artifact path resolution.

By inserting a fragment like #../etc/passwd, attackers can bypass server-side path sanitization and access sensitive files outside the intended model artifact directory.

This allows any unauthenticated attacker with network access to the MLflow server to perform Local File Inclusion (LFI), exposing sensitive system files such as:

  • /etc/passwd
  • Environment variables
  • Application secrets

Exploitation

An attacker can exploit this vulnerability by sending a crafted request using tools that allow sending raw HTTP requests (e.g., curl, Burp Suite, netcat).

Example exploit request:

GET /model-uri/model-name/artifacts/somefile#../etc/passwd HTTP/1.1Host: target-ip:5000

If the server is vulnerable, it will respond with the contents of /etc/passwd:

HTTP/1.1 200 OKroot:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

Important Note:
Browsers will not transmit fragments (#) to the server, so this attack requires tools that allow raw HTTP manipulation.


Impact

Successful exploitation allows unauthenticated attackers to:

  • Read arbitrary files from the MLflow server.
  • Expose sensitive configurations, credentials, and keys.
  • Assist in further attack chaining, such as harvesting credentials for pivoting.

Detection

  • Version Check: Confirm the installed MLflow version. Versions ≤ 2.11.2 are vulnerable.
  • Access Logs: Review MLflow server logs for unusual requests containing suspicious fragment usage.
  • System Monitoring: Monitor for unauthorized access to sensitive files.

Mitigation

  • Upgrade Immediately: Patch to MLflow version 2.11.3 or later.
  • Network Segmentation: Ensure MLflow servers are not exposed to public or untrusted networks.
  • Input Handling: Harden the MLflow codebase and API input parsing to properly sanitize and ignore fragments.
  • Security Monitoring: Deploy monitoring solutions to detect unusual file access patterns.

References

Stay in the know: Become an OffSec Insider

Stay in the know: Become an OffSec Insider

Get the latest updates about resources, events & promotions from OffSec!

Latest from OffSec