How to fix CVE-2024-8859?

Within 30 days: Identify all affected systems running mlflow/mlflow and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Is Mlflow affected by CVE-2024-8859?

Organizations using mlflow/mlflow face notable risk from CVE-2024-8859 rated CVSS 7.5. Exploitation could compromise the security of affected deployments. With an EPSS score of 27%, exploitation is likely in exposed deployments.

CVE-2024-8859

HIGH

2025-03-20 [email protected]

7.5

CVSS 3.0

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:32 vuln.today

Patch Released

Mar 28, 2026 - 18:32 nvd

Patch available

PoC Detected

Aug 05, 2025 - 16:15 vuln.today

Public exploit code

CVE Published

Mar 20, 2025 - 10:15 nvd

HIGH 7.5

Description

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while parts such as query and parameters are not handled. The vulnerability is triggered if the user has configured the dbfs service, and during usage, the service is mounted to a local directory.

Analysis

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 26.9%.

Technical Context

This vulnerability is classified under CWE-29. A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while parts such as query and parameters are not handled. The vulnerability is triggered if the user has configured the dbfs service, and during usage, the service is mounted to a local directory. Affected products include: Lfprojects Mlflow. Version information: version 2.15.1..

Affected Products

Lfprojects Mlflow.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +26.9

CVSS: +38

POC: +20

CVE-2024-8859 vulnerability details – vuln.today

Back

CVE-2024-8859

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2024-8859

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code