CVE-2024-8859

HIGH
Published Mar 20, 2025 Modified Aug 5, 2025 CWE-29

Description

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while parts such as query and parameters are not handled. The vulnerability is triggered if the user has configured the dbfs service, and during usage, the service is mounted to a local directory.

Is your site exposed to CVE-2024-8859?

Run a free security scan — no signup, results in seconds.

CVSS v3.1 Score

7.5
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weakness Type (CWE)

CWE-29 CWE-29

Affected Products

Vendor Product
lfprojects mlflow

References

Frequently Asked Questions

What is CVE-2024-8859? +
A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directly into the file protocol results in an arbitrary file read vulnerability. This issue occurs because only the path part of the URL is checked, while parts such as query and parameters are not handled. The vulnerability is triggered if the user has configured the dbfs service, and during usage, the service is mounted to a local directory. It has a CVSS v3.1 base score of 7.5 (HIGH).
How severe is CVE-2024-8859? +
CVE-2024-8859 has a CVSS v3.1 score of 7.5 out of 10, rated HIGH. This is a high-severity vulnerability that should be prioritized for patching.
What products are affected by CVE-2024-8859? +
CVE-2024-8859 affects products from lfprojects, specifically: mlflow. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2024-8859? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2024-8859 — free, no signup required.