Full Report
Cybersecurity researchers have disclosed multiple security flaws impacting open-source machine learning (ML) tools and frameworks such as MLflow, H2O, PyTorch, and MLeap that could pave the way for code execution. The vulnerabilities, discovered by JFrog, are part of a broader collection of 22 security shortcomings the supply chain security company first disclosed last month. Unlike the first
Analysis Summary
# Vulnerability: Multiple Flaws in ML Frameworks Leading to Client Code Execution
## CVE Details
- CVE ID: CVE-2024-27132
- CVSS Score: 7.2 (High)
- CWE: Insufficient Sanitization (Implied for XSS/RCE)
- CVE ID: CVE-2024-6960
- CVSS Score: 7.5 (High)
- CWE: Unsafe Deserialization
## Affected Systems
- **Products:** MLflow, H2O, PyTorch, MLeap (General client-side security issues across frameworks)
- **Versions:** Not specifically detailed in the summary provided, but implied to be versions susceptible to the specific flaws disclosed.
- **Configurations:** Exploits are leveraged when ML clients process untrusted models or workflows (e.g., running untrusted recipes in Jupyter Notebooks for MLflow).
## Vulnerability Description
Cybersecurity researchers disclosed multiple vulnerabilities affecting popular open-source Machine Learning (ML) tools. Unlike previous server-side issues, these flaws reside in libraries that parse "safe" model formats (like Safetensors) and specifically target ML clients.
1. **MLflow (CVE-2024-27132):** Insufficient sanitization when running an untrusted MLflow recipe in a Jupyter Notebook leads to Cross-Site Scripting (XSS), which can result in client-side Remote Code Execution (RCE).
2. **H2O (CVE-2024-6960):** An unsafe deserialization issue exists when importing an untrusted ML model, potentially leading to RCE.
3. **PyTorch (No CVE):** A path traversal issue exists in the TorchScript feature, allowing for Denial-of-Service (DoS) or code execution via arbitrary file overwrite (potentially overwriting critical system files or legitimate pickle files).
Successful exploitation of an ML client can allow attackers to perform lateral movement, access sensitive ML services (like Model Registries), exfiltrate credentials, backdoor stored models, or achieve direct code execution on the client machine.
## Exploitation
- **Status:** Details on active exploitation are not provided, but PoC logic is implied by the technical descriptions (running untrusted recipes, importing untrusted models).
- **Complexity:** Likely Medium, as it requires the victim to process untrusted data or run malicious code within an ML environment.
- **Attack Vector:** Primarily through files/models distributed to ML clients (Network/Adjacent, requiring interaction with the payload).
## Impact
- **Confidentiality:** High (Access to model registry credentials, sensitive data).
- **Integrity:** High (Ability to backdoor ML models, arbitrary file overwrite).
- **Availability:** Medium to High (Potential for DoS via file overwrite).
## Remediation
### Patches
Patches are expected to be released by the respective vendors (MLflow, H2O, PyTorch) to address these specific issues. Users should consult vendor advisories for specific version updates that fix CVE-2024-27132 and CVE-2024-6960, and the path traversal flaw in PyTorch.
### Workarounds
Users should treat all incoming or downloaded ML models, code recipes, or serialized model artifacts from untrusted sources as potentially malicious binaries.
* Restrict the execution environment for ML clients, especially those that handle external models (e.g., running models in sandboxed container environments).
* Validate or sanitize inputs aggressively when integrating ML components from unknown third parties or public repositories.
## Detection
- **Indicators of Compromise:** Look for unexpected outbound network connections originating from ML training/inference environments, modification of system configuration files, or execution of Python/shell commands outside of standard workflow scripts.
- **Detection Methods and Tools:** Enhanced monitoring of deserialization events (especially within H2O processing) and sandboxing of code execution originating from loading ML artifacts.
## References
- Vendor Advisories for MLflow, H2O, and PyTorch (Consult vendor release notes for full patch details).
- JFrog Blog Post (Defanged URL): hxxps://jfrog.com/blog/machine-learning-bug-bonanza-exploiting-ml-clients-and-safe-models/