Platform
kubernetes
Component
polyaxon/polyaxon
CVE-2024-9363 describes a critical file deletion vulnerability within the Polyaxon platform, a machine learning orchestration tool. This flaw allows unauthorized attackers to delete essential files within running containers, leading to denial of service. The vulnerability affects all versions of Polyaxon up to the latest release and does not require authentication to exploit.
The primary impact of CVE-2024-9363 is denial of service. By deleting files such as polyaxon.sock, an attacker can force the API container to exit unexpectedly. This disruption cascades, impacting related services and rendering the Polyaxon platform unusable. The lack of authentication requirements significantly broadens the attack surface, making it easier for malicious actors to exploit this vulnerability. The blast radius extends to any service dependent on the Polyaxon platform, potentially impacting machine learning workflows and data pipelines. This vulnerability shares similarities with other container escape vulnerabilities where file system access is exploited to disrupt service operation.
CVE-2024-9363 was publicly disclosed on 2025-03-20. The vulnerability's ease of exploitation and lack of authentication requirements suggest a medium probability of exploitation (EPSS score likely medium). No public proof-of-concept (PoC) code has been publicly released as of this writing, but the vulnerability's simplicity makes it likely that one will emerge. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.49% (66% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-9363 is to upgrade to a patched version of Polyaxon as soon as it becomes available. Until a patch is deployed, consider implementing stricter Kubernetes Role-Based Access Control (RBAC) policies to limit file system access within containers. Implement network policies to restrict access to the Polyaxon API container. Monitor container logs for suspicious file deletion activity. While a direct workaround is unavailable, enhanced security practices can reduce the attack surface. After upgrading, verify the integrity of the Polyaxon deployment by confirming that critical files are present and accessible within the containers.
Actualice Polyaxon a la última versión disponible. Esto debería incluir la corrección para la vulnerabilidad de eliminación de archivos no autorizada. Consulte las notas de la versión para obtener más detalles sobre la actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-9363 is a HIGH severity vulnerability in Polyaxon allowing unauthorized file deletion within containers, leading to denial of service. It affects all versions up to the latest.
If you are using Polyaxon up to the latest version and have not upgraded, you are potentially affected. Assess your Kubernetes RBAC policies and container security practices.
Upgrade to a patched version of Polyaxon as soon as it becomes available. Until then, implement stricter RBAC and network policies.
While no public exploits are currently known, the vulnerability's simplicity suggests a potential for exploitation. Monitor security advisories.
Refer to the official Polyaxon security advisories and release notes on their website or GitHub repository for updates and patch information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.