AI Threat Alert AI Threat Alert

CVE-2024-37052: MLflow: RCE via malicious scikit-learn model upload

HIGH PoC AVAILABLE
Published June 4, 2024
CISO Take

Any shared MLflow instance where users can upload models is exposed to remote code execution — an attacker needs only publish a crafted scikit-learn model and wait for a colleague or pipeline to load it. Patch MLflow immediately; until patched, restrict model upload permissions to trusted CI/CD service accounts only and audit recent model artifacts for suspicious submissions. This is a direct, practical threat to your ML platform supply chain with low exploitation complexity.

Risk Assessment

High severity (CVSS 8.8). MLflow is ubiquitous in enterprise ML environments, and shared model registries with multi-user write access are the norm in data science teams. Exploitation requires no elevated privileges on the MLflow instance — only the ability to upload a model file, which is routinely granted to developers, data scientists, and CI/CD systems. Low complexity and broad organizational exposure make this a practical, high-likelihood threat. The payload executes with the victim's OS user privileges, enabling lateral movement, credential theft, or data exfiltration from the ML environment.

Affected Systems

Package Ecosystem Vulnerable Range Patched
mlflow pip No patch
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1
8.8 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 55% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Unchanged
C High
I High
A High

Recommended Action

6 steps

  1. Patch: Upgrade MLflow to the latest patched release immediately — treat as emergency change for production ML platforms.

  2. Access control: Restrict model upload to authenticated CI/CD service accounts; remove interactive write access for human users where feasible.

  3. Model scanning: Integrate pre-load artifact scanning using tools designed to detect malicious pickle payloads (e.g., ProtectAI ModelScan, picklescan) into your ML pipeline gates.

  4. Network segmentation: Ensure MLflow servers are not internet-accessible; enforce VPN or bastion access for all registry interactions.

  5. Detection: Monitor for unexpected process spawning from Python interpreter processes and anomalous outbound connections originating from ML workstations or pipeline workers.

  6. Audit: Review the model upload history for all artifacts uploaded by external contributors or during the exposure window — consider re-validating or purging unverified models.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Model AML.T0010.001 AML.T0010.003 AML.T0011.000 AML.T0018.002 AML.T0058

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.6.2 - AI risk assessment A.9.3 - AI supply chain management
NIST AI RMF
GOVERN 1.1 - Policies and processes for AI risk management MANAGE 2.2 - Risk treatment and response mechanisms for AI systems
OWASP LLM Top 10
LLM05:2023 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-37052?

Any shared MLflow instance where users can upload models is exposed to remote code execution — an attacker needs only publish a crafted scikit-learn model and wait for a colleague or pipeline to load it. Patch MLflow immediately; until patched, restrict model upload permissions to trusted CI/CD service accounts only and audit recent model artifacts for suspicious submissions. This is a direct, practical threat to your ML platform supply chain with low exploitation complexity.

Is CVE-2024-37052 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-37052, increasing the risk of exploitation.

How to fix CVE-2024-37052?

1. Patch: Upgrade MLflow to the latest patched release immediately — treat as emergency change for production ML platforms. 2. Access control: Restrict model upload to authenticated CI/CD service accounts; remove interactive write access for human users where feasible. 3. Model scanning: Integrate pre-load artifact scanning using tools designed to detect malicious pickle payloads (e.g., ProtectAI ModelScan, picklescan) into your ML pipeline gates. 4. Network segmentation: Ensure MLflow servers are not internet-accessible; enforce VPN or bastion access for all registry interactions. 5. Detection: Monitor for unexpected process spawning from Python interpreter processes and anomalous outbound connections originating from ML workstations or pipeline workers. 6. Audit: Review the model upload history for all artifacts uploaded by external contributors or during the exposure window — consider re-validating or purging unverified models.

What systems are affected by CVE-2024-37052?

This vulnerability affects the following AI/ML architecture patterns: model registries, training pipelines, MLOps platforms, model serving, CI/CD model evaluation.

What is the CVSS score for CVE-2024-37052?

CVE-2024-37052 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.32%.

Technical Details

NVD Description

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.

Exploitation Scenario

An adversary with model-upload access to a shared MLflow registry — via a compromised developer account, malicious insider, or external collaborator with granted access — crafts a scikit-learn model file embedding a malicious pickle payload using standard Python tooling (trivial, publicly documented technique). The attacker registers the model under a plausible, trusted-looking name in the MLflow UI. When a data scientist calls mlflow.sklearn.load_model() during experimentation, or an automated CI/CD pipeline loads the model for evaluation, the payload executes in the victim's process context. From here the attacker can establish a reverse shell, exfiltrate AWS/GCP credentials from environment variables or ~/.aws, access training datasets, or pivot into internal infrastructure. In pipeline contexts this can propagate to production systems before detection.

Weaknesses (CWE)

CWE-502 Primary CWE-502

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Timeline

Published
June 4, 2024
Last Modified
February 3, 2025
First Seen
June 4, 2024

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed