AI Threat Alert

CVE-2024-37054: MLflow: deserialization RCE via malicious PyFunc model

HIGH PoC AVAILABLE
Published June 4, 2024
CISO Take

Any team running MLflow for model tracking or registry is exposed: an attacker with model upload access can trigger arbitrary code execution on any user who loads a poisoned PyFunc model. Patch immediately and audit your model registry for unauthorized uploads. Enforce strict least-privilege access controls on who can push models to MLflow.

What is the risk?

High risk (CVSS 8.8). Attack complexity is low and no privileges are required to stage the malicious model — only user interaction (loading it) triggers execution. In shared MLflow environments common across data science teams, a single poisoned model can compromise multiple workstations or CI/CD runners simultaneously. Blast radius scales directly with team size and level of pipeline automation.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
MLflow pip No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
0.7%
chance of exploitation in 30 days
Higher than 48% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Unchanged
C High
I High
A High

What should I do?

7 steps

  1. Patch MLflow to the latest available version immediately — this is the primary remediation.

  2. Audit the model registry for PyFunc models uploaded by unexpected users or from unknown sources, especially recently.

  3. Restrict model upload permissions: apply least privilege so only trusted service accounts can push models to the registry.

  4. Implement model artifact signing and integrity verification before loading in any environment.

  5. Isolate model loading in sandboxed containers with no production credentials or network access.

  6. Monitor for anomalous process spawning from MLflow worker and server processes (e.g., unexpected shells or outbound connections).

  7. If immediate patching is not possible, disable PyFunc model loading or gate it behind a manual review workflow.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Framework Model AML.T0010.001 AML.T0011.000 AML.T0018.002 AML.T0049 AML.T0058

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity Article 9 - Risk Management System
ISO 42001
A.10.1 - Supply Chain Relationships A.6.2 - AI System Security
NIST AI RMF
MEASURE 2.2 - AI System Cybersecurity Risk Evaluation
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-37054?

Any team running MLflow for model tracking or registry is exposed: an attacker with model upload access can trigger arbitrary code execution on any user who loads a poisoned PyFunc model. Patch immediately and audit your model registry for unauthorized uploads. Enforce strict least-privilege access controls on who can push models to MLflow.

Is CVE-2024-37054 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-37054, increasing the risk of exploitation.

How to fix CVE-2024-37054?

1. Patch MLflow to the latest available version immediately — this is the primary remediation. 2. Audit the model registry for PyFunc models uploaded by unexpected users or from unknown sources, especially recently. 3. Restrict model upload permissions: apply least privilege so only trusted service accounts can push models to the registry. 4. Implement model artifact signing and integrity verification before loading in any environment. 5. Isolate model loading in sandboxed containers with no production credentials or network access. 6. Monitor for anomalous process spawning from MLflow worker and server processes (e.g., unexpected shells or outbound connections). 7. If immediate patching is not possible, disable PyFunc model loading or gate it behind a manual review workflow.

What systems are affected by CVE-2024-37054?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model registries, training pipelines, experiment tracking, model serving.

What is the CVSS score for CVE-2024-37054?

CVE-2024-37054 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.70%.

What is the AI security impact?

Affected AI Architectures

MLOps platformsmodel registriestraining pipelinesexperiment trackingmodel serving

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011.000 Unsafe AI Artifacts
AML.T0018.002 Embed Malware
AML.T0049 Exploit Public-Facing Application
AML.T0058 Publish Poisoned Models

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.10.1, A.6.2
NIST AI RMF: MEASURE 2.2
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with.

Exploitation Scenario

An adversary with access to your MLflow tracking server — obtained via a compromised data scientist account, an unauthenticated public-facing MLflow instance, or an insider — uploads a maliciously crafted PyFunc model to the model registry. The model appears legitimate with a plausible name, valid metrics, and realistic parameters. When a data scientist runs mlflow.pyfunc.load_model() during evaluation, or an automated pipeline triggers model validation, the deserialization of the model file executes attacker-controlled code on the host. The adversary gains a shell on the victim machine, which in ML environments typically carries cloud IAM credentials, access to training datasets in S3 or GCS, and connectivity to internal services — turning a model registry upload into full cloud environment compromise.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-502 Deserialization of Untrusted Data

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

  • [Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
  • [Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Timeline

Published
June 4, 2024
Last Modified
February 3, 2025
First Seen
June 4, 2024

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed