
May 15, 2025
CVE-2024-2928: MLflow Local File Inclusion via URI Fragment Manipulation
Read about an LFI vulnerability disclosed in MLflow which allowed unauthenticated remote attackers to read arbitrary files by exploiting URI fragments containing directory traversal sequences.
CVE Overview
In April 2024, a high-severity Local File Inclusion (LFI) vulnerability was disclosed in MLflow, an open-source platform for managing the complete machine learning lifecycle. The vulnerability exists in versions prior to 2.11.3 and is due to improper sanitization of the fragment component (#) in URIs.
This flaw allows unauthenticated remote attackers to read arbitrary files from the MLflow server’s filesystem by exploiting crafted URI fragments containing directory traversal sequences.
This vulnerability is an evolution of a previously patched path traversal issue in MLflow, bypassing earlier fixes by abusing the fragment portion instead of query parameters.
CVE ID: CVE-2024-2928
Severity: High
CVSS Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
EPSS Score: 90.40%
Published: April 12, 2024
Affected Versions: ≤ 2.11.2
Patched Version: 2.11.3
Vulnerability Breakdown
The vulnerability arises from MLflow’s improper handling of URL fragments. While browsers do not send the fragment (#) to the server, MLflow parses the raw HTTP request line, inadvertently including the fragment during artifact path resolution.
By inserting a fragment like #../etc/passwd, attackers can bypass server-side path sanitization and access sensitive files outside the intended model artifact directory.
This allows any unauthenticated attacker with network access to the MLflow server to perform Local File Inclusion (LFI), exposing sensitive system files such as:
- /etc/passwd
- Environment variables
- Application secrets
Exploitation
An attacker can exploit this vulnerability by sending a crafted request using tools that allow sending raw HTTP requests (e.g., curl, Burp Suite, netcat).
Example exploit request:
GET /model-uri/model-name/artifacts/somefile#../etc/passwd HTTP/1.1Host: target-ip:5000 |
If the server is vulnerable, it will respond with the contents of /etc/passwd:
HTTP/1.1 200 OKroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin … |
Important Note:
Browsers will not transmit fragments (#) to the server, so this attack requires tools that allow raw HTTP manipulation.
Impact
Successful exploitation allows unauthenticated attackers to:
- Read arbitrary files from the MLflow server.
- Expose sensitive configurations, credentials, and keys.
- Assist in further attack chaining, such as harvesting credentials for pivoting.
Detection
- Version Check: Confirm the installed MLflow version. Versions ≤ 2.11.2 are vulnerable.
- Access Logs: Review MLflow server logs for unusual requests containing suspicious fragment usage.
- System Monitoring: Monitor for unauthorized access to sensitive files.
Mitigation
- Upgrade Immediately: Patch to MLflow version 2.11.3 or later.
- Network Segmentation: Ensure MLflow servers are not exposed to public or untrusted networks.
- Input Handling: Harden the MLflow codebase and API input parsing to properly sanitize and ignore fragments.
- Security Monitoring: Deploy monitoring solutions to detect unusual file access patterns.
References
Stay in the know: Become an OffSec Insider
Get the latest updates about resources, events & promotions from OffSec!
Latest from OffSec

Research & Tutorials
CVE-2025-24893 – Unauthenticated Remote Code Execution in XWiki via SolrSearch Macro
An RCE vulnerability in XWiki was found allowing unauthenticated attackers to execute arbitrary Groovy code remotely without authentication or prior access.
Jun 5, 2025
2 min read

Insights
OffSec’s Take on the Global Generative AI Adoption Index
Discover OffSec’s take on the latest Global Generative AI Adoption Index report released by AWS.
May 30, 2025
3 min read

Research & Tutorials
CVE-2025-0655 – Remote Code Execution in D-Tale via Unprotected Custom Filters
A critical remote code execution (RCE) vulnerability in the D-Tale data visualization tool was identified which allowed attackers to execute arbitrary system exams, abusing an exposed API endpoint.
May 29, 2025
2 min read