CVE-2024-37053: MLflow RCE — HIGH

CISO Take

Any MLflow deployment where untrusted users can upload models is a full RCE vector — no authentication needed to upload, just get a victim to load the model. Audit who has write access to your MLflow model registry immediately and enforce model signing or allowlisting before loading external artifacts. If your data science teams pull models from shared or public registries without verification, assume compromise risk is active.

What is the risk?

High risk for organizations running MLflow with open or loosely controlled model upload permissions. CVSS 8.8 reflects the realistic scenario: low attack complexity, no attacker privileges required, and complete CIA triad impact once triggered. The user interaction requirement (someone loading the model) is trivially satisfied in normal ML workflows where engineers routinely load models from the registry. Exposure is amplified in multi-tenant MLflow deployments, shared experiment environments, and CI/CD pipelines that auto-load models for evaluation.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
MLflow	pip	—	No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

0.6%

chance of exploitation in 30 days

Higher than 45% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

7 steps

PATCH

Update MLflow to the latest patched version immediately (check HiddenLayer advisory for exact versions).
ACCESS CONTROL

Restrict model upload permissions to authenticated, authorized users only — enforce RBAC on MLflow server.
MODEL SIGNING

Implement model signing and verification before any load_model() call in pipelines.
NETWORK ISOLATION

Run MLflow behind VPN/internal network only; no public-facing exposure.
DETECTION

Monitor for unexpected process spawning from Python interpreter processes that loaded MLflow models (e.g., curl, bash, nc, reverse shells). Set up EDR alerts on pickle deserialization patterns.
WORKAROUND (if unpatched): Scan model files with tools like fickling (Trail of Bits) to detect malicious pickle payloads before loading.
AUDIT

Review MLflow audit logs for unexpected model uploads, especially from new or external accounts.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Framework Model AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0058 - Publish Poisoned Models AML.T0072 - Reverse Shell

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Robustness, accuracy and cybersecurity Article 9 - Risk management system

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system supply chain

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems are maintained MAP 5.1 - Likelihood and magnitude of each identified impact based on impacts to individuals, groups, communities, organizations, and society

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-37053?

Any MLflow deployment where untrusted users can upload models is a full RCE vector — no authentication needed to upload, just get a victim to load the model. Audit who has write access to your MLflow model registry immediately and enforce model signing or allowlisting before loading external artifacts. If your data science teams pull models from shared or public registries without verification, assume compromise risk is active.

Is CVE-2024-37053 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-37053, increasing the risk of exploitation.

How to fix CVE-2024-37053?

1. PATCH: Update MLflow to the latest patched version immediately (check HiddenLayer advisory for exact versions). 2. ACCESS CONTROL: Restrict model upload permissions to authenticated, authorized users only — enforce RBAC on MLflow server. 3. MODEL SIGNING: Implement model signing and verification before any load_model() call in pipelines. 4. NETWORK ISOLATION: Run MLflow behind VPN/internal network only; no public-facing exposure. 5. DETECTION: Monitor for unexpected process spawning from Python interpreter processes that loaded MLflow models (e.g., curl, bash, nc, reverse shells). Set up EDR alerts on pickle deserialization patterns. 6. WORKAROUND (if unpatched): Scan model files with tools like fickling (Trail of Bits) to detect malicious pickle payloads before loading. 7. AUDIT: Review MLflow audit logs for unexpected model uploads, especially from new or external accounts.

What systems are affected by CVE-2024-37053?

This vulnerability affects the following AI/ML architecture patterns: Model registries, ML experiment tracking platforms, Training pipelines, MLOps CI/CD pipelines, Model serving (evaluation phase).

What is the CVSS score for CVE-2024-37053?

CVE-2024-37053 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.62%.

What is the AI security impact?

Affected AI Architectures

Model registriesML experiment tracking platformsTraining pipelinesMLOps CI/CD pipelinesModel serving (evaluation phase)

MITRE ATLAS Techniques

AML.T0010.003 Model

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0058 Publish Poisoned Models

AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: 6.1.2, 8.4

NIST AI RMF: MANAGE 2.2, MAP 5.1

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scikit-learn model to run arbitrary code on an end user’s system when interacted with.

Exploitation Scenario

Adversary identifies an organization's MLflow instance (often exposed internally, sometimes publicly). Without requiring existing credentials (PR:N), they register a malicious scikit-learn model file containing a crafted pickle payload — trivially generated with publicly available tools. The payload establishes a reverse shell or downloads a second-stage implant. The adversary then waits or socially engineers a team member to run an evaluation script, trigger a CI/CD pipeline that auto-evaluates new models, or simply browse the experiment in the MLflow UI — any of which calls load_model() and triggers execution. In automated MLOps pipelines, exploitation is fully silent: upload model, wait for the next evaluation cron job, receive shell.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-502 Deserialization of Untrusted Data

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.