CVE-2024-2083

CRITICAL

zenml < 0.55.5 - Path Traversal via /api/v1/steps Logs URI Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-2083. PoCs published by Saptaktdk.

AI-analyzed exploit summary The repository contains only a README describing a Dockerized vulnerable lab for CVE-2024-2083 in ZenML, a path traversal vulnerability in the step logs API. No actual exploit code or technical details are provided.

Description

A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit this vulnerability by manipulating the 'logs' URI path in the request to fetch arbitrary file content, bypassing intended access restrictions. The vulnerability arises due to the lack of validation for directory traversal patterns, allowing attackers to access files outside of the restricted directory.

Exploits (1)

nomisec STUB
by Saptaktdk · poc
https://github.com/Saptaktdk/zenml-CVE-2024-2083-POC

The repository contains only a README describing a Dockerized vulnerable lab for CVE-2024-2083 in ZenML, a path traversal vulnerability in the step logs API. No actual exploit code or technical details are provided.

Classification
Stub 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Theoretical
Target: ZenML (version not specified)
No auth needed
Prerequisites: Docker environment to run the vulnerable lab
devstral-2 · analyzed Mar 09, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.9
EPSS 0.0067
EPSS Percentile 72.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-29
Status published
Products (2)
pypi/zenml 0 - 0.55.5PyPI
zenml/zenml < 0.55.5
Published Apr 16, 2024
Tracked Since Feb 18, 2026